Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

Hi JoshBecigneul​ 

Thank you again for your insights on Kerberos auth—it's helpful to have your perspective, especially on the BIG-IP side. I appreciate the note on Kerberos not being ideal over the open internet and the role of KCD in APM.

To clarify our setup: We're focusing Kerberos primarily for internal, domain-joined clients connecting to our on-premises Exchange servers (via Negotiate for Outlook Anywhere and MAPI/HTTP). However, we also need seamless connectivity for both domain-joined and non-domain-joined users accessing from outside our network (through the internet), such as remote workers or mobile devices. External access uses OWA/ActiveSync, so Kerberos isn't exposed directly to the internet. We've completed the on-premises config (ASA, SPNs on http/mail.<domain> and http/autodiscover.<domain>, virtual directories set to Negotiate), but we're seeing end-user password prompts in Outlook, suggesting a potential delegation or pass-through issue at the F5 layer.

Could you guide us on BIG-IP-side tweaks to resolve this? Specifically:
- Recommendations for enabling Kerberos Constrained Delegation (KCD) in APM policies or iRules to properly handle Negotiate auth delegation from BIG-IP to the backend Exchange servers, while supporting external access for both domain-joined and non-domain-joined users?
- Any common virtual server or pool configurations needed for Kerberos ticket forwarding (e.g., ensuring HTTP profiles support Negotiate without breaking external connectivity)?
- If there's a sample iRule or policy snippet for Exchange Kerberos that we could adapt, that would be gold.