Forum Discussion
I've been noodling on this one and it occurred to me that:
-
A browser will not send a Kerberos ticket unless the server asks for one (via 401 response).
-
A browser that receives a 401 response, and cannot satisfy it with a Kerberos ticket, will generally prompt the user with a credential dialog box. There's no opportunity to fail over to a form page if Kerberos fails. You could very easily do Basic authentication since you're already getting a logon dialog though.
Another alternative is perhaps to switch client side SSO methods based on an attribute of the client. If external and internal clients have different IP ranges, you could prompt them differently. Of course if an internal user failed to present a Kerberos ticket after 401, they'd get a credential dialog.