SSO not working when coming from Microsoft Forefront.(help Tim! ;-)

I'm running BO 4.0 SP2 with kerberos SSO with tomcat on a web box and then an app box for everything else. We have Kerberos SSO working with Windows AD but when we enable constrained delegation and try to proxy in via the Microsoft Forefront TMG SSO fails with "Account Information Not Recognized: Active Directory Authentication failed to log you on."

Debug and logging is enabled. I get a success message in stderr.log

Oct 20, 2011 4:39:14 PM com.wedgetail.idm.sso.util.DefaultAuditor auditAccess

INFO: access: /BOE/portal/110825/InfoView/logon/logonService.do by user: MY_LOGIN = granted

But then an error in stdout.log

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @MY_DOMAIN.COM

It looks like it's stripping the username off. The TMG admin says they can see where the ticket is passing with the user name. SAP support says they can't support the TMG(understandable) so here I am in limbo.

Ideas anyone?