Its unfortunately part of the spnego protocol: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.web... The server responds with a 401 and then the browser tries authenticating with Kerberos. The server has no idea if the client trusts it for Kerberos or not until after the 401 and then a negotiation is started. Best bet would be to somehow configure it as one possible login button that a user could chose. Thanks, Kevin ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on behalf of Janik [janik-keycloak(a)familie-krallmann.de] Sent: Thursday, February 28, 2019 11:53 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Authentication with Kerberos and login screen fallback Hello guys, I have an web application where I'd like to use Keycloak for authentication. If possible the user should login via Kerberos. If not use login screen. On my computer I have a valid Kerberos ticket and the login works fine. If I try to login for example from another device I always get the error-code 401. I expected to get the login screen instead. If I configure the trusted-uris on these device the login screen appears. I successfully configured an LDAP User Federation provider with Kerberos integration. I used this instructions (https://www.keycloak.org/docs/2.5/server_admin/topics/authentication/kerb...) to create the authentication flows. Is it possible to use Kerberos authentication from known devices and use the login screen from unknown devices where I can't configure trusted-uris? One example could be my mobile phone where I'm not able to configure something. Thanks in advance. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user