Forum Discussion
I don't know why but seems like I always find answers to my issues myself after I post them here first :)
Anyway, Below are the steps I took to get Kerberos authentication working on both domains and preventing browser from login prompt.
To fallback properly and avoid mutiple 401 requests, I had to change the VPE like below. At this point I was getting a login prompt when a user in domain2 tries 401 against domain1 controllers(Kerberos Auth-domain1) and fails. Clicking cancel on the prompt is successfully signing in the user(SSO) by authenticating using Kerberos-auth domain2.
To prevent the login prompt, all I had to do was to change "max login attempts" to '1' on first kerberos agent i.e., Kerberos Auth-domain1.
I figured since default attempts were 3 the browser is prompting the login as APM is trying to re-run the 401(at least I guess). After I made the change to '1', I stopped seeing login prompt and users in both domains are able to authenticate through one gateway.. yayy!
Hope this helps someone out there or may trigger someone to suggest a better solution. Fingers crossed!