Configuring APM Client Side NTLM Authentication

Brad, this is just from my own personal experience, but it seems to me from most previous posts on the matter, that there's a general misconception about how browsers perform Windows integration authentication. The issue that Javier was trying to solve was just that, the ability to do NTLM for one group of users and logon page for another. But browsers don't work that way, and there's nothing a server (not an F5, not Apache, not NGINX) can do about this. Once the browser gets the Authorization with Negotiate header, the server has to just wait for a response. That's why you use things like registry checks (for domain membership), or IP subnet matches to preemptively filter users into different authentication schemes. ECA is needed only when you have to enable/disable NTLM dynamically. As for struggles with NTLM in general, I don't think F5 admins/users are alone here. Windows integrated authentication has been a pain to configure for as long as I can remember.