Optional kerberos authentication?

Question

Is it possible to do optional kerberos authentication?

What I want is: if the client (browser) is not on the domain it is redirected to a username/password web login

Answer 1

if you're using Apache, the Cosign module can be adjusted to do this with some JavaScript on the (normal, in-band auth) login page, and a second path to the login controller that's Kerberos authenticated. The "regular" login form tests if access to a Kerberos-protected resource succeeds, and redirects the browser to complete login automatically if so.

To my mind the above seems a bit backwards, and it's objectionable to add a JavaScript requirement where it's not strictly necessary. I think Elias Mårtenson's answer has it right - attempt Kerberos and fall back to in-band login within an HTTP 401 response - but whether it's possible depends on your environment.