Replace Microsoft NLB with BIGIP 2200S

You should build each side separately. Configure a backend server for anonymous authentication and configure client side "AAA" Kerberos first. Once you have that working, create a separate access policy with no client side authentication and build your server side "SSO" Kerberos. In the SSO profile, you'll see two "source" session variables (by default session.sso.token.last.username and session.logon.last.domain). In the visual policy for your server side Kerberos access policy, just do Start -> Variable Assign -> Allow. In the variable assign agent, set these two source session variables to a valid domain username and (uppercase) domain name, respectively. Once you have both sides working independently, then you can combine them by changing the input session variable session.logon.last.username (a UPN value: user@DOMAIN) into the two separate server side source variables.