Issue with Keberos Authentication - Load Balancing several LDAP servers

Do you have a vip on port 88 with a UDP profile? I'm assuming you are using an any listener. I also assume that listener has a tcp profile attached. You can't have a listener with both a UDP and a TCP profile attached, they'd need to be separate listeners.

The port 88 request is going to be the communication between the client and the KDC. If the client is local to the domain/realm, then technically it should not need to go through a VIP to get to the KDC.

Understood, but application traffic and Kerberos traffic are generally different things. In order to present a Kerberos ticket in an application request, a client must separately communicate to the KDC (usually on TCP or UDP port 88) to get that ticket. My question is why is your client trying to go through an LTM VIP to get to the KDC? The client should be local to the KDC.

An Active Directory typically load balances itself, so it's usually not recommended to actually put domain services behind a load balancer. But in any case, you'd need a fastL4 VIP listening on port 88 and any port to cover both TCP and UDP requests. And I'd probably also use source persistence.