Kerberos SSO without APM?

Hi,

I have a question regarding Single Sign-On with kerberos.

I have a pair of Virtual BigIPs on a Viprion-System running in Active/Standby. The systems are connected one-armed and therefor using SNAT. I am loadbalancing several servers using the LTM...quite easy, no problems.

Now the application guys would like to use our active directory for a single sign-on to these servers. This works fine, if you address one of the pool-servers directly, but not if you use the virtual server.

I think the problem is the SNAT. When crossing the LTM, the source address of the packet is changed. When the kerberos-ticket arrives at the server, the IP inside the ticket is different from the source ip because of SNAT.

Is that right, or is there another reason?

Would running the LTM in two-armed-mode without SNAT solve my problem?

Or is the only way to buy an APM license and let the BigIP talk to the active directory?

Unfortunately I have only little knowledge in SSO/Kerberos/AD, but I hope I could make myself clear.

Thanks in advance

Regards,

Thorsten