APM + Kerberos

Technically speaking it'd be easy to do in an access policy in iRules, based on the presence or absence or an Authorization header in the client's request. The problem is that browsers don't generally work that way. If you send a 401 on initial access, and the client is unable to satisfy it, the browser will either re-prompt the user or just fail completely. One of the best approaches to handling this scenario, if your environment supports it, is to filter the clients based on source IP address. Anyone that can requests a Kerberos ticket for a web server is very likely on the same network as that KDC, while everyone else may not be. You could then use an iRule or APM's IP Subnet Match agent in the visual policy to direct different types of users down different VPE paths. One path for a logon page, and the other for client side Kerberos.

So two things:

1. I'm not sure a user-agent header evaluation is going to be reliable. Can you guarantee that a) all Kerberos-capable clients have the same UA, and that external clients will never have that UA? Is your environment set up such that external users come in with different source addresses than internal users? That would be a more reliable option.

    

2. The issue is that the browser gets "fixated" on one authentication type. If you send it a 401 in a response, then it's going to try Kerberos, and then maybe NTLM, and then eventually either Basic or just fail. This all happens in the browser without any server side intervention. Almost all modern browsers behave this way, and there's nothing you can do on the server side to control this.