Kerberos authentication card does not fallback to basic auth when no kerberos token has been provided by the client

Access Manager setup with a variety of Linux Access Gateway protected resources. Some of these resources require Kerberos based authentication, whilst others require form based authentication. All authentications to Kerberos enabled protected resources work fine when the kerberos token is submitted in response to the HTTP '401 Authentication required' request from the Identity server. In the case where the user is not a member of the Active Directory domain, the user should get prompted for authentication using the HTTP basic authentication popup.

A change was added to the kerberos fallback mechanism in 3.1 SP1 IR1 whereby users that cannot provide a valid kerberos token will fallback to a HTTP basic authentication request. This will allow external users that are not connected to the domain access kerberos enabled protected resources from home, provided the credentials are valid.