If you want to use desktop SSO and use a fallback to Forms based authentication when that fails, you need to make sure you have a few settings right:
(Assuming you have all the desktop SSO configured properly.)
Under the [server] stanza, set the order of the authentication mechanisms.
auth-challenge-type = spnego, forms
We need to ensure that spnego is sent first, and forms second.
As per the documentation:
When SPNEGO is configured along with another authentication method, WebSEAL simultaneously sends both an SPNEGO challenge and an HTML form login back to the browser. Browsers that support SPNEGO respond with SPNEGO authentication. Browsers that do not support SPNEGO display the login form. [source]
Secondly, once we have them configured, we need to ensure that we don’t get an NTLM challenge from the browsers that won’t use the Desktop SSO.
This can be done by configuring IE to use Anonymous login:
This will prevent you from getting this error:
Access Manager WebSEAL could not complete your request due to an unexpected error.
Error Code: 0x38cf0963
Error Text: DPWWA2403E Your browser supplied NTLM authentication data. NTLM is not supported by WebSEAL. Please make sure your browser is configured to use Integrated Windows Authentication.
Provide your System Administrator with the above information to assist in troubleshooting the problem.