Hi
Still not very clear unfortunately :-)
But many options there, here is just a few :
1- If your internal users MUST authenticate without passwords : then you can do Kerberos Authentication on the F5 itself, then yes you will need a keytab and configuration object on APM to perform authentication. Then, once AUTHENTICATION is done on APM, you can use KCD (Kerberos Constrained Delegation) to perform a Kerberos authentication to the web_auth module. This of course works only for users in the internal domain / REALM
2- If you intend to allow other authentication method on the F5 (like for example strong authentication, MFA...) then you can configure whatever factors you want on APM to authenticate the user. Once done, you can perform KCD again to authenticate to web_auth module on your backend,
This allows you to support only one authentication method on your backend, and handling multiple authentication type on the F5 ... But again, your requirements are not cristal clear as of now.
I hope this information helps you...
Yoann