Kerberos 401 authentication with form fallback

No, not what I'm saying. When the server sends its 401, it's also going to send one or more "Authorization" headers, which can either have a value of "Basic", "NTLM", or "Negotiate" (which means Kerberos or NTLM). The browser uses this information to decide how to authenticate. For example, if only a Basic authorization header is sent, the browser can only respond with Basic credentials. If it gets a Negotiate, and it's a member of a domain, it'll try Kerberos or NTLM (with a preference for Kerberos). If, however, it cannot satisfy any of these, it will just fail. It won't send anything back to the server. It won't ask for other options. It will just fail.

And since there's no request from the browser if it fails, there's no event for the server (APM) to respond to. APM cannot follow a fallback branch, simply because the client didn't send any request. You can actually see this if you fire up Developer tools in your browser (or Fiddler). It doesn't matter if it's Edge, Firefox, Chrome, whatever. This is how all browsers behave with Windows Integrated Authentication. That you're setting negotiate+basic, and the browser selects Basic, means that the browser itself can't satisfy the negotiate request, so falls back to Basic.