Forum Discussion
Bare with me LOL... I'm pulling this from memory. -The way I am explaining this, should work for keytab and if one had APM.
Your AD dude is right. Both domains have to trust each other.
TGT = Ticket Granting Ticket SPN=Service Principle Name KDC=Domain Controller
The F5 will be delegated the rights to grant TGT's on behalf of the Domain Controller for both domain via Username of Domain 1 and SPN from Domain 2.
The application servers will have to have a service account configured (same as the F5 AAA account name or a unique); having a unique will help with password resets and fat finger mistakes by your application guys, when they stand up a new box. The SPN of the F5 account(I think) has to be specified in the Delegation of the Application service account under the "Delegation" tab in AD(if a unique account is used). All you have to specify is "HTTP" when it is one layer. F5 -> Application server if the Application server has to reach out to SQL servers or anything else that needs SSO(Single Sign on), you will have to specify those SPN's(Delegation Tab) as well on the Application service account.
Keytab: F5 service account HTTP/SPNusername(can be the same as the service account name or unique) --Primary domain HTTP/SPNusername (of an account from the Second Domain that has TGT account rights -"Domain Admin" type rights)--Secondary Domain
krb5.conf -- /etc/krb5.conf -https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13399 **Has to be configured as well using the above URL as a reference. ( *Not used if one has APM )