Your User Logon name doesn't seem to be right. You have:
host/delegation
. It should be:
host/delegation.domain1.fr
. So, the SPN will become
host/delgation.domain1.fr@subdomain.domain2.FR
.
Also make sure you you set the SPN:
setspn -A host/delgation.domain1.fr delegation
In the APM SSO Configuration the fields 'KDC' and 'SPN Pattern' can be left empty.
DNS is also very important. You need to have both an A and PTR record for mail1.domain1.fr. Make sure you can resolve them from the F5 BIG-IP.
Also see this cookbook. Just follow the steps:
https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos
To test your constrained delegation account on the F5 BIG-IP and see if you can get a ticket for a user.
[root@strongbox:Active:Standalone] / kinit -f 'host/delgation.domain1.fr@subdomain.domain2.FR'
Password for host/delgation.domain1.fr@subdomain.domain2.FR:
[root@strongbox:Active:Standalone] / kvno -C -U user@subdomain.domain2.FR host/delgation.domain1.fr@subdomain.domain2.FR
host/delgation.domain1.fr@subdomain.domain2.FR: kvno = 2
[root@strongbox:Active:Standalone] / klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/delgation.domain1.fr@subdomain.domain2.FR
Valid starting Expires Service principal
12/09/18 17:05:06 12/10/18 03:05:10 krbtgt/subdomain.domain2.FR@subdomain.domain2.FR
renew until 12/16/18 17:05:06
12/09/18 17:05:15 12/10/18 03:05:10 host/delgation.domain1.fr@subdomain.domain2.FR
for client user\@subdomain.domain2.FR@subdomain.domain2.FR, renew until 12/16/18 17:05:06
[root@strongbox:Active:Standalone] /