APM + Kerberos

Technically speaking it'd be easy to do in an access policy in iRules, based on the presence or absence or an Authorization header in the client's request. The problem is that browsers don't generally work that way. If you send a 401 on initial access, and the client is unable to satisfy it, the browser will either re-prompt the user or just fail completely. One of the best approaches to handling this scenario, if your environment supports it, is to filter the clients based on source IP address. Anyone that can requests a Kerberos ticket for a web server is very likely on the same network as that KDC, while everyone else may not be. You could then use an iRule or APM's IP Subnet Match agent in the visual policy to direct different types of users down different VPE paths. One path for a logon page, and the other for client side Kerberos.