kerberos and ntlm authentication using APM

I am new to this forum and to F5 prodcuts in general. I was troubleshooting an issue with APM Kerberos Auth AAA and stumbled to this forum. Very good discussion indeed. I have done most of the things pointed out on this article

 

 

1. VIP IP registered in DNS (host A and PTR records) - Testserver.demo.com 10.1.1.5

 

2. F5 Configured to point to AD domain DNS server

 

3. Created a service account in AD - demo\SvcAcct

 

4. Create an SPN -- setspn -U -A HTTP/Testserver.demo.com SvcAcct

 

5. Created a keytab file = ktpass -princ HTTP/Testserver.demo.com@DEMO.COM -mapuser svcAcct@DEMO.COM -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass password -out c:\temp\svcacct.keytab

 

6. Uploaded the keytab file to the Access Policy AAA Server configuration (verified keytab file using Klist command tool on the F5 command shell)

 

7. Created a constrained delegation on the SvcAcct to specific servicess (HOST and HTTP services of the web servers) any protocol

 

8. verified delegation by using the Kinit tool

 

9. created a acces policy HTTP 401 Response --> Nego -> Kerberos Auth --> success -> Allow

 

 

After all this, I still cannot get Kerberos auth to be successfull. Can someone tell me what I may be missing out or doing wrong.

 

 

Thank you for you input in advance