Kerberos for web proxy clients

Unless "gtm-domain.net" is a domain identifier for another AD domain that's trusted by your main "ad-domain.net" zone, then no. The client will only request a Kerberos ticket for zones that he can resolve a KDC for -- if you don't have a Kerberos TGT server in that domain or the domain your ISA servers are unaware of a trust to the other domain, this won't work. I also don't think that Windows browsers will "follow" the CNAME DNS lookups returned by a query for "proxy.gtm-domain.net". They'll tend to want to request the SPN that's been configured for them in the proxy settings or learned via PAC. Any reason you can't add an NS record somewhere in ad-domain.net pointed to the GTM for, say "proxy.ad-domain.net"?

 

 

That may be a moot point, anyway, as I've got a sneaking suspicion here that maybe what you need is a to simply create a PAC file that selects the proxy based on network location and the proxy that it points to will be the name registered to the regional proxy in ad-domain.net. In fact, you could potentially use an iRule to build a custom PAC file to feed out to each individual user based on Geolocationing iRule calls and bypass the whole GTM thing altogether.