If you want to use desktop SSO and use a fallback to Forms based authentication when that fails, you need to make sure you have a few settings right:

(Assuming you have all the desktop SSO configured properly.)

Under the [server] stanza, set the order of the authentication mechanisms.

auth-challenge-type = spnego, forms

We need to ensure that spnego is sent first, and forms second.

As per the documentation:
When SPNEGO is configured along with another authentication method, WebSEAL simultaneously sends both an SPNEGO challenge and an HTML form login back to the browser. Browsers that support SPNEGO respond with SPNEGO authentication. Browsers that do not support SPNEGO display the login form. [source]

Secondly, once we have them configured, we need to ensure that we don’t get an NTLM challenge from the browsers that won’t use the Desktop SSO.

This can be done by configuring IE to use Anonymous login:

This will prevent you from getting this error:

---

Server Error

Access Manager WebSEAL could not complete your request due to an unexpected error.

Diagnostic Information

Method: GET

URL: /

Error Code: 0x38cf0963

Error Text: DPWWA2403E Your browser supplied NTLM authentication data. NTLM is not supported by WebSEAL. Please make sure your browser is configured to use Integrated Windows Authentication.

Solution

Provide your System Administrator with the above information to assist in troubleshooting the problem.