Optional kerberos authentication?

Question

Is it possible to do optional kerberos authentication?

What I want is: if the client (browser) is not on the domain it is redirected to a username/password web login

Answer 1

Yes. You can do this. When the server receives an unauthenticated request, it replies with a 401 ("Authorization required") which is a header WWW-Authenticate set to Negotiate. If the Kerberos authentication fails, the server also send a 401 back.

Whenever the client fails to authenticate (for example, if it doesn't have any Kerberos credentials, or the authentication failed) the 401 page content will be shown.

So, to solve your problem, all you have to do is to include the login page on the 401 page.