Kerberos Authentication from Multiple Forests

What is the subject name in the request directly before the KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN message (what is the SPN the client is asking for)? For cross-domain authentication, let's say a user in domA wants to access a resource in domB. The user should already have a TGT for access to domA. When the user attempts to access a resource in domB, it'll get a 401 error message requesting authentication, and then go immediately to its own domain. Through some validation/lookup process, either the client or the domain will know that the requested SPN is for a service in another trusted domain. The client will then request, from domA, a TGT for the domB KDC. It'll then use this TGT to make a TGS request for the resource in domB.

I can create a 2nd account in the 2nd forest and add the same SPN there so it can be found, but do I need to make some form of combined keytab file for the F5 to be able to work with both accounts?

Completely unnecessary. It could be that neither party knows what the SPN goes to. Try running a network capture between the client and the two KDCs and filter on Kerberos (port 88) and DNS (port 53) traffic.