Problems with kerberos - route-domains and error 52

Hi out there

 

I have a small problem with kerberos sso and route-domains. I have a F5 11.3 which is running the internet facing part in route-domain 0 (common) and we have then route-domain 1 and 2 for two independent zones which are isolated.

 

The clients connects to the common partition and need a kerberos ticket for a webserver in RD 2 where the DC also is located (win2k8r2). Since we are running isolated I cannot connect from the kerberos process in the common partition to the DC in RD 2. This can I circumvent by defining a standard vs as kerberos proxie (UDP/88) - this works fine in my simple lab. But in real I get a kerberos error 52 - response to big - which is probably cause by "to many data" for a UDP packet - so - new problem - can I switch kerberos to use TCP instead of UDP in the F5? I cannot proxie both TCP and UDP in a standard vs as far as I can see so I need to swap to TCP instead - can this be done? And if so - how?

 

best regards /ti