Hey,
I have a similar problem, except I'm not using IIS.
We have a collection of SOAP/WCF services, accessible internally only on Win2k3 servers.
Each one of these services run's under a domain account. The data from these services is stateless, we are using the Microsoft delegation model with WS Security in out .NET applications to pass Kerberos information/SPN's from the client to the backend. Under load we continually get Kerberos errors, however the moment I apply a Persistence Profile all works fine.
I gather through each payload sent from the client, a message is sent along with the Kerberos token. The token applied against “backend server 1”, it travels back to the client, the client then sends its next payload which is load balanced to “backend server 2”, Kerberos tokens don’t match up and an error is displayed.
Anyone had any experience which this sort of setup? Have you set persistence connections? What sort of timeout are you using? I’ve also tried adding the F5 to the domain using “Configuration Guide for Kerberos Delegation” but that appeared to only be useful for IIS setups using host based SPN’s.
I was considering setting up an iRule specifically for Kerberos packets and trying to persist only those, however I don't think this would be relevant if the token is bound to the payload sent from the client.