help wiht APM Kerberos to IIS Server

Hi,

I want to set up F5 APM with kerberos - so user's can connect to multiple destination IIS servers in the back-end that require (Negotiate:)Kerberos Authentication. testing for 1 virtual server, but needed for multiple hostnames & virtual server.

I am using the following approach for a seamless logon (no log in pop ups). Computers are member off the domain. so are the IIS Servers.

1. Kerberos Authentication with End-User Logons https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/9.html.  
   • This one i fond interesting and seems to resembe the explenation in https://www.youtube.com/watch?v=NDFJ7m8iaPA. 
   • Working with the HTTP 401 Response resembles how IIS handles the Negotiate. 
   • configuration https://www.youtube.com/watch?v=CuROO2Qpllg. 

As i am no kerberos specialist, so working with these SPN is difficult.

DNS is properly set up with A & PTR records.

the virtual server has a DNS Name f5internalqa201.domain.local

This has a cname for the web application: bi-reports.domain.local

I have a user usr_f5intqa_kerb that can be used to create a keytab file.

I'm running version 16.1.4.2

What SPN & ktpass config is needed?

setspn ..

ktpass ..

where do i use the 'hostname'? where do i use the cname?

Thanks!!