I'm having the same issue and here is what I have found in troubleshooting so far:
We are running IIS 6 on Win 2003 and the sites in question are ASP.Net v2.0.5. I have two web sites in the same app pool; one is set to use Windows Integrated Authentication (WI) and the other Allow Anonymous Access (AA). Hitting the (AA) site after launching the (WI) site will cause the credential prompt. Happens every time. I enabled (WI) on the (AA) site, and all the issue went away...mostly. Seems the network team was able to get a few with lots and lots of requests to the first (WI) site. My thinking is that these may have been caused by other users having a legitimate security failure (i.e. locked account) since the client IP (c-ip) is always the F5s IP. I may be off base here, but it seems the IIS auth token is cleared and authorization is required of the next user to make a request. A possible solution would be to do the IP replace in the header as suggested above. I'm not a network guy through, and don't know how this would impact the rest of our world. Any comments would be appreciated.
This is only occurring via the dns which is routed though the F5s. ip:port and servername:port work just fine, but aren't going through the F5s