Hesham,
Easy fix
Create a HTTP parameter map, and assign it to the class in the service-policy.
parameter-map type http HTTP
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
policy-map multi SLB
class VIP
poli ..
load ..
blah blah
appl-parameter http advanced-options HTTP
Basically, this is what happens:
The kerberos ticket is too big to fit in the HTTP header. Thats, it's to big for ACE, which caps the header size at 4K by default.
Try before you buy test:
Create an user within Active Directory, and only assign it to the bare minimum of security groups.
Then try accessing the website, before applying the configuration.
Cheers mate,
Søren Elleby Sørensen