Forum Discussion
I don't immediately see how it's possible to tell if a PC is able to authenticate without asking it via a 401, which produces a browser auth pop-up. Is there anything in the initial HTTP request that you can use to tell this class of clients from the other class of clients?
Well, perhaps you could use Group-Policy IEM tool to modify the User-Agent and show the 401 to only those guys via some simple VPE logic? But they would have to use only IE, unless there is some way to do this with Firefox to a group of PCs.
https://technet.microsoft.com/en-us/library/cc770379.aspx
Further to my investigation with debug I found following line:
bigip debug apmd[16352]: 01490000:7: memcache.c func: "mc_convert_session_var_to_mc_key()" line: 2564 Msg: Converted Var: session.logon.last.authparam to Session Var tmm.session.fa70bd95.session.logon.last.authparam
It assigned variable to session.logon.last.authparam when I am trying to access URL from outside with session variable as shown above.. so there is no way branch rule in 401 HTTP response will fallback... because session.logon.last.authparam}] != "" will always have variable and it will go to kerberos Auth.