Multiple Windows Authentication Prompts after F5 Authentication

Okay, so there are few things to consider here:

1. First and foremost APM needs to know what the SPN is for each target application. You can either set this manually with the SPN pattern in the SSO profile, or in lieu of that APM will perform a reverse DNS lookup using the server's IP address to get its hostname (ex. server1.domain.com) and then convert that to a SPN (ex. http/server1.domain.com@DOMAIN.COM). If you don't see the correct SPN in the APM log, then that's very likely the first problem.

    

2. APM is going to perform Kerberos constrained delegation and protocol transition to the target application through a separate delegation account. This account should a) be set to "Trust this user for delegation to specified services only" and "use any authentication protocol", and b) have defined all of the HTTP SPNs for the applications that it will delegate to.