This is between a bug and a enhancement request.
If a server supports multiple authentication methods, it is possible for it to include multiple WWW-Authenticate headers in its authentication challenge response.
This would allow clients that didn't support kerberos for example to still negotiate basic auth. And no 'chaining' would be required on the Alfresco side.
When a kerberos login fails either in explorer or in Share we fall back to a HTML login form.
This is interesting but limits client to web browser.
In SPP for instance, an office program (words, etc...) cannot deal with HTML forms.
could it be possible to make a failed kerberos or failed NtLM fall back to a HTTP Basic Auth?
Note: other kerberos middleware seem to provide this kind of fallback mechanism, see mod_auth_kerberos e.g.:
To summarize, what we want is to have mutiple headers in the 401 response from the client:
currently or in the past if you had 'kerberos' in your chain the server was returning either
as you can understand returning always the 2nd form will confuse clients that cannot do kerberos and they may never send basic as in your soap case but returning always WWW-Authenticate: Basic
is not good either as you will never get SSO so the solution is really in implementing
ACE-2678 and send both