Here is the final solution that i implemented and is working for all different user states/disable flag values:
Problem statement : To have Kerberos based authentication for on domain and on network and fallback to form otherwise. We were getting windows pop-up in case of failover and we wanted to get rid of it.
Solution : Below is the script being used on access gateway server:
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<script src="jquery-3.3.1.min.js"></script>
<script>
$(document).ready(function(){
$.ajax({
type: 'GET',
xhrFields: {
'withCredentials': true
},
crossDomain: true,
url: '', // Dummy URl protected with kerberos authentication scheme
cache: false,
success: function () {
function getUrlParameter(name) {
name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');
var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
var results = regex.exec(location.search);
return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));
};
var target = getUrlParameter('TARGET');
console.log("Sucesso!");
window.location = target;
},
error: function(XMLHttpRequest, textStatus, errorThrown) {
function getUrlParameter(name) {
name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');
var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
var results = regex.exec(location.search);
return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));
};
var target = getUrlParameter('TARGET');
target = target.replace(/^https?:\/\/[^\/]+/g,"");
console.log("some error " + textStatus + " " + errorThrown);
console.log(XMLHttpRequest);
window.location = "domain/fallback.jsp?TARGET=" + target; // Fallback URL protected with form based authentication scheme
},
async: false
});
});
</script>
</head>
<h1>Redirecting to app...</h1>
</body>
</html>
Fallback.jsp is protected with MFA authentication scheme.
To handle different disable flag values like - 2 , 8 , 1 etc disabled password policy on Kerberos authentication scheme but than it was triggering siteminder default password service with smauthreason 7 so we removed the password service itself(renamed smpw.fcc) so that it gives 500 and it goes to error condition in above script which will make it fallback to form.
We have our custom password service URL for form based authentication so there was no need to have default one which also help resolve the above use case.
We have issues with OOB solution with different user states and that needs additional windows server and also uses NTLM based authentication so this solution works and can be considered as potential one.
Thanks wadami for all your help.