To ask a browser to provide a Kerberos token, I send a 401 response with the "WWW-Authenticate: Negotiate" header.
If the browser can't find a Kerberos library, the user doesn't have a ticket, or the site isn't whitelisted, the browser wont' be able to send a Kerberos token, and will just display a 401 Unauthorized page. Is there a way I can redirect instead?
