Kevin, What we are seeing in wireshark on the DC is the TGT request and TGS request completing without issue. The F5 is requesting a forwardable ticket per the option fields. We see no KRB errors.
On the APM WEBSSO set to debug - we see the first
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ssoMethod: kerberos usernameSource: session.ldap.last.attr.sAMAccountName userRealmSource: session.logon.last.domain Realm: DOMAIN.NAME KDC: 10.10.227.54 AccountName: HOST/serviceacct spnPatterh: HTTP/somesite.com@DOMAIN.NAME TicketLifetime: 600 UseClientcert: 0 SendAuthorization: 0
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a905598, CLIENT: TMEVT_REQUEST
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a905598, CLIENT: TMEVT_REQUEST_DONE
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a905598, CLIENT: TMEVT_SESSION_RESULT
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a905598, CLIENT: TMEVT_SESSION_RESULT
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a905598, CLIENT: TMEVT_SESSION_RESULT
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a907250, SERVER: TMEVT_REQUEST
Oct 4 14:46:25 F5-APM info websso.1[14917]: 014d0011:6: 4e45c27d: Websso Kerberos authentication for user 'eric.haupt1' using config '/Common/Kerberos_SSO'
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0046:7: 4e45c27d: adding item to WorkQueue
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0021:7: sid:4e45c27d ctx:0x5a905598 SPN = HTTP/somesite.com@DOMAIN.NAME
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0023:7: S4U ======> ctx: 4e45c27d, sid: 0x5a905598, user: eric.haupt1@DOMAIN.NAME, SPN: HTTP/somesite.com@DOMAIN.NAME
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: Getting UCC:eric.haupt1@DOMAIN.NAME@DOMAIN.NAME, lifetime:36000
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: fetched new TGT, total active TGTs:1
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: TGT: client=HOST/serviceacct@DOMAIN.NAME server=krbtgt/DOMAIN.NAME@DOMAIN.NAME expiration=Fri Oct 5 00:46:25 2018 flags=40610000
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: TGT expires:1538714785 CC count:0
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: Initialized UCC:eric.haupt1@DOMAIN.NAME@DOMAIN.NAME, lifetime:36000 kcc:0x5a907aa0
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: eric.haupt1@DOMAIN.NAME server: HTTP/somesite.com@DOMAIN.NAME - trying to fetch
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: eric.haupt1@DOMAIN.NAME - trying to fetch
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: S4U ======> - fetched S4U2Self ticket for user: eric.haupt1@DOMAIN.NAME
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: eric.haupt1@DOMAIN.NAME server: HTTP/somesite.com@DOMAIN.NAME
Oct 4 14:46:25 F5-APM err websso.1[14917]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/somesite.com@DOMAIN.NAME - Requesting ticket can't get forwardable tickets (-1765328163)
Oct 4 14:46:25 F5-APM err websso.1[14917]: 014d0024:3: 4e45c27d: Kerberos: Failed to get ticket for user eric.haupt1@DOMAIN.NAME
Oct 4 14:46:25 F5-APM debug websso.1[14917]: 014d0001:7: ctx: 0x5a907250, SERVER: TMEVT_NOTIFY
Oct 4 14:46:25 F5-APM err websso.1[14917]: 014d0048:3: 4e45c27d: failure occurred when processing the work item