Kerberos: Form login fallback for IE (how to cope with IE flaw?)
We are moving from NTLM authentication with IIS to Kerberos authentication with SAP Java AS on NW04s. We need to have username/password fallback for a user, in case kerberos authentication fails (for example misconfiguration of the client can cause NTLM token to be sent and this will be rejected)
The problem is stated in the SPNegoLoginModule Installation Guide:
"Currently there is a problem with the Internet Explorer, the Windows Integrated Authentica-tion using Kerberos and the POST method. The http POST does not work properly. There-fore, the fallback to password authentication in case of a Kerberos authentication failure doesnt work. The only workaround is to switch off Kerberos in the browser. Microsoft has committed that they have a problem (see )."
Reference  points to http://support.microsoft.com/default.aspx?scid=kb;en-us;308074
The workaround described by Microsoft is actually not a feasible work around, since it involves change the configuration of the client IE software.
Has anyone implemented a solution for this ?
As far as I can see the only solution is to
1. create a new authscheme for kerberos
2. Implement a revised new version of com.sap.portal.runtime.logon.par which redirects to the login page of another authscheme in case of login failure
3. Assign frontendtarget for kerberos to component in 2.
4. Set kerberos as default authscheme for portal
But this will have to be repeated for each SP installation and I would very much like to avoid that complexity.