APM log when using Kerb SSO Conf of domainA (kerb service account in domain A):
8472f4ff: Websso Kerberos authentication for user 'userb' using config '/Common/F5-ADFSProxy-KerbSSO'
8472f4ff: adding item to WorkQueue
sid:8472f4ff ctx:0x8676928 server address = ::ffff:10.0.10.3
sid:8472f4ff ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINA.COM
S4U ======> ctx: 8472f4ff, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webappb1.coolapp.com@DOMAINA.COM
Getting UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000
Found UCC:userb@DOMAINB.COM@DOMAINA.COM, lifetime:36000 left:35563
UCCmap.size = 4
S4U ======> - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webappb1.coolapp.com@DOMAINA.COM - trying to fetch
S4U ======> - NO cached S4U2Self ticket for user: userb@DOMAINB.COM - trying to fetch
Kerberos: can't get S4U2Self ticket for user userb@DOMAINB.COM - Realm not local to KDC (-1765328316)
8472f4ff: Kerberos: Failed to get ticket for user userb@DOMAINB.COM
user domain is ok
web server domain is ok
result KO
Now: using a kerb sso conf with a service account in domainb
info websso.1[14088]: 014d0011:6: 9c741e95: Websso Kerberos authentication for user 'userb' using config '/Common/DOMAINB-KCD'
debug websso.1[14088]: 014d0046:7: 9c741e95: adding item to WorkQueue
debug websso.1[14088]: 014d0018:7: sid:9c741e95 ctx:0x8676928 server address = ::ffff:10.0.10.3
debug websso.1[14088]: 014d0021:7: sid:9c741e95 ctx:0x8676928 SPN = HTTP/webapp1.coolapp.com@DOMAINB.COM
debug websso.1[14088]: 014d0023:7: S4U ======> ctx: 9c741e95, sid: 0x8676928, user: userb@DOMAINB.COM, SPN: HTTP/webapp1.coolapp.com@DOMAINB.COM
debug websso.1[14088]: 014d0001:7: Getting UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000
debug websso.1[14088]: 014d0001:7: Found UCC:userb@DOMAINB.COM@DOMAINB.COM, lifetime:36000 left:35280
debug websso.1[14088]: 014d0001:7: UCCmap.size = 4
debug websso.1[14088]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM - trying
debug websso.1[14088]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: userb@DOMAINB.COM server: HTTP/webapp1.coolapp.com@DOMAINB.COM
err websso.1[14088]: 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/webapp1.coolapp.com@DOMAINB.COM - Requesting ticket can't get forwardable ticke
err websso.1[14088]: 014d0024:3: 9c741e95: Kerberos: Failed to get ticket for user userb@DOMAINB.COM
user domain is ok
server domain is KO
Result KO