Forum Discussion
but the client want the software to go through the F5 to get to the dc
Still struggling to understand this part. If we're strictly talking Kerberos here, the client (presumably internal) has direct access to the KDC and can make Kerberos requests for services. The client in this case is either a user and a browser or some piece of software. Once the client receives the Kerberos ticket, it forwards that to the server it wants to talk to. If that's the scenario that you're referring to, then it makes sense that it works without the F5 and not with the F5 - because invariably the name that you use to access the F5 virtual server is not the name/SPN of the server BEHIND the F5. There's nothing special about the F5 setup. It should simply pass that request (and ticket) through the virtual server to the back end service.
If, for whatever reason, you need the client software to access the domain controller THROUGH the F5, then there's a lot more involved. At the very least the client accesses the KDC on port 88. Other services like RPC, NetBIOS, and DNS use other ports. It isn't impossible, but it's not fun trying to proxy AD domain traffic. I'm hoping this is not what you're trying to do.
The bottom line is that you need to understand what the application is trying to accomplish, and how it's trying to do it - who it needs to talk to and how it communicates.
A packet capture will help.