LDAPS vip - how to?

based on these two articles -

https://relevantsecurity.wordpress.com/2021/04/11/ldap-channel-binding-and-load-balanced-vips/

https://support.f5.com/csp/article/K05648102

It seems MS hardening has made it difficult to load balance ldaps.

In my cyurrent setup when I have both a client and server ssl cert in the virtual server, ldp.exe can connect successfully, but when I try and bind I get the error:

Server error: 80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 80090346, v4563
Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.

which appears tio be expected since we have these reg settings:

LDAPServerIntegrity: 1
LdapEnforceChannelBinding: 1

So I removed both the client and server ssl profiles from the VS, once I did that I can not connect at all:

Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);

wireshark shows the ldap server requesting a client cert, not getting it then terminating the session straight away.

Weird thing is, the VS pool has only one member, and I can successfully connect and bind directly to it on ldaps bypassing the F5. 

I suspect the issue is the dns name I connect to resolves to the IP on the F5, which of course is not the name of the actual ldap server, although I did try installing both the ldap server and f5 virtual server client ssl cert on the test machine and still didn't work. I wonder if this is actually possible to get working via F5?