iRule for HTTP Status and specific header not working

Hi Kevin, Thank you for your answer. I'll try as best I can to answer your questions.

We are wanting to clear the WWW-Authenticate header so that the single-page-applications will not lose context. My developer is telling me that clearing or setting "" for this header allows them to popup a dialog to reauthenticate within their application. If the header has the value set by the server the browser will intercept and attempt to reauthenticate the session, This causes the SPA to lose context and if the user was in something like a Map, they've lost everything and go back to app initial state. All of this works as expected in regard to our apps however when we have this particular iRule applied, the internal users on Domain computers cannot connect as the SSO is broken and the initial SPNEGO negotiation response is removed..

We ran TCP Dumps against a SPNEGO Login and see 200 response with WWW-Authenticate header with value of Negotiate and a whole bunch of Key stuff. We do not want to modify that header, only when the response is 401, which I beleive would only come from a session that can;t negotiate SPNEGO. I am not an epxert on the SSO stuff so please forgive me if I have some of this wrong. Going to try and attach a screenshot of one of the pcaps.

To summarize, the iRule I have above works fine for what we want in regard to allowing an expired session to be re-authenticated within the web application, without the user losing their context. However it breaks by clearing the header when the status is 200. Does my rule have the if statement constructed proerly to only work when the status is 401 and the WWW-authenticate headers exists? It does not seem to work that way and is clearing out the needed SPENGO keys coming back from the server.