I would like to support both Kerberos and standard username+password authentication (via web form) in parallel. This is works fine, when the client is in the domain. The server returns the HTTP header "WWW-Authenticate: Negotiate" and sends an HTTP error 401 (unauthorized), as required by the Kerberos protocol, and the browser client then continues by sending the required information. But when the login page is accessed from outside the domain, the process stops on the client-side after receiving the 401.
Is there a way to run these two authentication methods in parallel? (same question here, without a conclusive solution: Optional SPNEGO Kerberos authentication)
You are better off implementing the same approach as
mod_auth_gssapi, it offersBasicalso and performs the auth loop internally as if your client is sending the SPNEGO token.