If I may add, I haven't seen the resulting config, but given that the documentation doesn't mention APM (or ACA) I have to assume Kerberos is performed in pass through. That means that the client is likely still making the initial Kerberos request and passing the ticket through the F5 to Websense. That should work, but the address that the client uses to access the F5 VIP must be the same name they would otherwise use to access Websense directly. Kerberos is highly dependent on names (service principal names), and a browser will make a request to the KDC based on the name used to access the resource. This all ties back to encryption keys that are defined by specific SPNs. If you look at a network capture (Wireshark is best for this) you'll probably see the client either try and fail to get a Kerberos ticket and then fail over to NTLM, or pass a Kerberos ticket (but with the wrong SPN/key) and subsequently get a 401 response from Websense telling it to use NTLM.