FastL4 VS not passing the SSO credentials properly

If I may add,

You can absolutely shuttle Kerberos traffic through a non-APM LTM VIP. The biggest issue you run into though is definition of the service principal name.

For (browser-based) Kerberos to work, a client makes a request to a web server that first responds with a 401 "Authenticate" response. The client then goes directly to a KDC and requests a Kerberos ticket for this service. The server, however, doesn't tell the client its name, so the browser derives the service's name from the URL. If the URL is https://mysite.localdomain.com, then the Kerberos service principal name (SPN) is HTTP/mysite.localdomain.com.

You have two servers in a pool, presumably named "dc01server.example.com" and "dc02server.example.com". And if you're VIP resolves to a different name, then that's the name the browser (incorrectly) requests a ticket for. You have a few options here:

1. Create an AD service account, give it the VIP's name as its servicePrincipalName attribute (ex. https://mysite.localdomain.com = HTTP/mysite.localdomain.com), and if these are IIS servers, assign this AD account as the owner of the IIS application pools on both boxes. So basically, both IIS services are owned by the same AD account, and that account's SPN is the same as what the client will request a ticket for.

    

2. Deploy APM. APM performs the delegation and handles all of this for you.