APM + Kerberos

So two things:

1. I'm not sure a user-agent header evaluation is going to be reliable. Can you guarantee that a) all Kerberos-capable clients have the same UA, and that external clients will never have that UA? Is your environment set up such that external users come in with different source addresses than internal users? That would be a more reliable option.

    

2. The issue is that the browser gets "fixated" on one authentication type. If you send it a 401 in a response, then it's going to try Kerberos, and then maybe NTLM, and then eventually either Basic or just fail. This all happens in the browser without any server side intervention. Almost all modern browsers behave this way, and there's nothing you can do on the server side to control this.