The problem with kerberos is that the user must first sends a request to kerberos server that delivers a token to then contact the destination server. Here the user will use the vip ip to request the token and when contacting the destination the ip is different and the token not accepted.
I had an issue like this in a long time ago and I don't think we ever found a solution.
Did you try to configure loopback ip addresses on the server that would be the same ip as the vip ?
Then configure service of type transparent on the CSS.
Or contact the kerberos admin guy to see if he knows a way to have a token valid on multiple platforms
You can do the configuration like that:
owner xxxx
content short
vip address x.x.x.x
redirect "//test.company.com:50100/irj"
protocol tcp
port 80
url "//short_name/"
active
content fqdn
vip address x.x.x.x
redirect "//test.company.com:50100/irj"
protocol tcp
port 80
url "//test.company.com/"
active
content lb_rule
vip address x.x.x.x
balance weightedrr
advanced-balance sticky-srcip
url "//test.company.com:50100/*"
protocol tcp
port 50100
add service srv1
add service srv2 weight 5
active
service srv1
ip address x.x.x.x
keepalive type http
keepalive port 50100
keepalive uri "/index.html"
type redirect
port 50100
active
service srv2
ip address x.x.x.x
keepalive type http
keepalive port 50100
keepalive uri "/index.html"
type redirect
port 50100
active