Don t know if this will help but this is how I got it working with 2 internal connectors for SSO and 2 externals without Kerberos after couple of days scratching my head.
Check and browse to the AD object of your Kerberos connectors from a DC not from the RSAT console and ensure that in the Delegation tab Trust this computer for delegation to any service (Kerberos only) is selected and also in the Attibute Editor tab look for the servicePrincipalName.
I have a split DNS. My workspace is configured on mydomain.com and not on local.mydomain.com.
The values there were set like HOST / connector-va3.local.mydomain.com. Changed them :
HOST / connector-va3.mydomain.com
HOST / connector-va3
also added the one my F5 box is using HOST / connectors.mydomain.com just to be sure.
Then I have unticked the allow redirect box on those connectors (still don t know why but worked without) and got my SSO working.
Hope this will get you out of this issue ![]()
Seb
Also had issues with the X-forwarder-For. For some reason putting the VIP of the F5 box wasn't sufficient. Had to put there also the physical ip's of my F5 LTM