I'm trying to setup Kerberos with NTLM fallback using a Mac as a test Kerberos only client. I've managed to get the Kerberos part working but the Mac client is getting occasional pop-ups asking for authentication from time to time. It seems to be random but almost always happens when they start the browser. If they cancel out of the 2 or 3 authentication windows then they are able to browse and the Kerberos authentication begins working on the backend MWG.
Below is a screenshot of the current authentication configuration:
If I disable the first rule "Authenticate With NTLM" the problem does not occur. But I still need to be able to fallback to NTLM for my Windows users.
Any ideas what might be causing these pop-ups on the Mac?
I do not know what is causing this, would suggest to open a ticket with support to have them look at tcpdump data and possibly the auth debug log. The debug log may actually already give you some hint.
If all your Macs can use Kerberos, I'd just add a criteria to the first rule to exclude it for user agent matching the string "Macintosh" (Safari, Firefox, Chrome all have this string in the user-agent header) on the Mac.