Forum Discussion
Just my 2c, might not be relevant to your situation.
I experienced something similar when I was trying to set up an office online server and attach it to our SharePoint VIP with smart card auth. Turns out I didn't need to mess with SPNs/configure Kerberos or anything. SharePoint ACLs were handling the access to the files and the IIS site used anonymous authentication.
action_; My deployment definitely requires SSO with KCD variables. My APM essentially does client-cert auth from any user anywhere and then proxies this user through into an internal sharepoint on a private domain/realm. We use identifiers within the cert the client provides to validate the client within the AD domain. All they need to provide is their cert and PIN to use it. APM takes care of the rest. From Sharepoint's perspective, all the IIS front-ends see is the F5 float IP making connections and sending TGS tickets on behalf of domain users.
I went from 11.6.1 HF2 to 13.1.1 last night with no change to this particular issue, but I really didn't expect things to change. My suspicion is something in this tenant domain, but I can't point fingers just yet...