If you have request logs enabled on the virtual server that you are having problems with, the reason for the 500 error should be recorded (including if it is, as it is likely to be in this case, related to Kerberos protocol transition).

When configuring Kerberos protocol transition, you are required to, somewhere (virtual server, pool or TrafficScript), specify three principals:

1. The principal (and configuration) for the traffic manager to use with protocol transition (configured by specifying the name of the appropriate entry in the Kerberos catalog).
2. The target principal name of the service provide by the pool nodes.
3. The client principal name of the client connecting to the traffic manager.

Client principal name (3) will be extracted from a client certificate acquired via TLS - in this configuration the traffic manager must authenticate the client via TLS client certificate authentication.  This principal name is expected to be encoded in a certificate as a subject alternative name annotated as a szOID_NT_PRINCIPAL_NAME type (documented in Object IDs associated with Microsoft cryptography) following the guidelines for smart-card based login (for more details see Guidelines for enabling smart card logon with third-party certification authorities).

I have request logging enabled, but its not much help. 

This is an example of the output, I changed it to stingray extended format.

-|10.25.6.238|GET /|-|500|-|630|-|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

-|10.25.6.238|GET /alfresco/|-|500|-|630|JSESSIONID=1E02ADBF9F015C728749F2BB2E75B0C0|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

-|10.25.6.238|GET /share/|-|500|-|630|JSESSIONID=7490CC6D7E17B504DFE98F60902EC013; _alfTest=_alfTest; alfLogin=1410773796|-|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)

The Client certificate is a standard User certificate from AD Certificate Services.  I will need to look a bit deeper to see if it uses the correct OIDs etc.

I've also added a traffic script to dump all the headers, and the User Principle Name is not part of it. This must be where its going wrong. 

Cheers

I have request logging enabled, but its not much help.  

You're completely right, I told you to enable the wrong type of logging (sorry!) - what we need is the connection error logging enabled for the virtual server - log!server_connection_failures - found under Connection Management > Connection Error Settings.

I've also added a traffic script to dump all the headers, and the User Principle Name is not part of it. This must be where its going wrong.

You can use the TrafficScript function http.kerberos.getClientPrincipalName() to determine what client principal name is going to be used by the traffic manager (if the empty string is returned then that is a good indication that the traffic manager has not been able to extract the principal name from the certificate).

Thanks, I was getting the error...

> Key version number for principal in key table is incorrect

Apparently, when generating the keytab, specifying the kvno number does not work. It must auto increment regardless of what you specify.

I generated and uploaded a new keytab, and the 500 errors are gone.

The certificate also works, its showing the correct username under getClientPrincipalName

I just need to figure out why its trying to login to the server using the TMs principle name, rather then the client.

Cheers

 The certificate also works, its showing the correct username under getClientPrincipalName

That's good news - thanks for sharing!

I just need to figure out why its trying to login to the server using the TMs principle name, rather then the client.

I wouldn't expect that; the only thing I can think of to check would be that the TMs account is correctly configured for delegation - that said if it wasn't I would expect the S4U2Proxy exchange to result in an error, rather than a ticket for itself to the target service.