Using NC / Webdav / Net Use with SSO/Kerberos behind WAF with reverse Proxy

Nextcloud version (eg, 12.0.2): 16.03
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.29
PHP version (eg, 7.1): 7.2.19

We have two access points for NC

  1. internal Network
  2. over Internet behind a WebApplicationFirewall (WAF) with reverse proxy
    On both access point we trie using the Browser, Webdav on Windows and Linux and NetUse on Windows.
    We have configured NC to Access via SSO over Kerberos to our MS AD and using LDAPs for Authentication.

On internal Network everything is working with Browser (https), WebDavSecure and NetUse on all Operating System
On External (Internet) we can use only the Browser but not WebDav or NetUse.

WAF konfigurtion is configured on Firewall (Sophos) with reverse Proxy Authentication.
User open the Browser, get the login Page from the FW and if he is allowed he get directly connection to NC over SSO / Kerberos connection.
Internal Browser Link example:
ExternaI Browser Link example:

Internal WebDav Link example:
or on Linux: davs://
External WebDav Link example:
For NetUse almost the same like WebDav

Apache Config:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/
    SSLCertificateKeyFile /etc/ssl/private/

    # Pfad zu den Webinhalten
    DocumentRoot /vol1/nc/
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"

<Location "/index.php/login?direct=1">
        Options -Indexes
        Order allow,deny
        Allow from all
        AuthType Kerberos
        AuthName "TRZ-Cloud-Authentication"
        KrbAuthRealms LOCAL.COM
        KrbServiceName HTTPS/
        Krb5Keytab /etc/krb5_nc.keytab
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        require valid-user

Our config.php

$CONFIG = array (

  'memcache.local' => '\\OC\\Memcache\\APCu',
  'instanceid' => 'oct306',
  'passwordsalt' => 'pwd',
  'secret' => 'pwd',
  'trusted_domains' =>
  array (
    0 => '',
    1 => '',
    2 => '',
  'datadirectory' => '/vol1/nc/data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'dbname' => 'nc',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nc',
  'dbpassword' => 'pwd',
  'installed' => true,
  'mail_from_address' => 'nc',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => '',
  'mail_smtphost' => '',
  'mail_smtpport' => '25',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',

So if we use the external Webdav oder NetUse Link we get the Message “der angegebene Ordner ist ungültig. wählen Sie einen anderen Ordner”
I’am not sure but could it be a different link for WebDav/NetUse if we using SSO like on Browser?

I have search man other post but can’t find any solution.
So if someone has a idea for us?
Thank you very much

wrbrgds TheBob