In general terms, triggering a Kerberos (SPNEGO) authentication will fall flat on its face if the browser doesn't support/allow it (eg non-domain machine/login, or not trusted) - that is, the browser will simply stop. Therefore you either need some trickery to detect this (maybe a <meta http-equiv="refresh" ...> on the 401 page) or - better - to only trigger it when you know it will succeed.
For our IdP, we have the Kerberos Login Handler (https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler) installed but the standard UsernamePassword handler, configured to use LDAP for authentication, set as the default. Our managed (domain-connected) PCs get a cookie set on (Windows) login to enable it, and login.jsp tests this cookie and redirects to the Kerberos Login Handler if required (equivalent to what the "auto-login" in the default handler setup does). Ugly but all done server-side and it works well...
Instead of looking for a cookie you could, as Jon wrote, test the client IP address, but this can be problematic as he described. More comparable to the cookie, another alternative we considered was to look for a specially configured value in User-agent. In our case, client IP address was considered not sufficiently reliable, a cookie was necessary anyway as a means to disable the use of Kerberos, and we already had a browser launching on (Windows) login. So it was straightforward to use a cookie to enable Kerberos too.
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Colleen Romero
Sent: 26 August 2014 09:17
To: [log in to unmask]
Subject: Kerberos and LDAP
Does anyone know how to set up Shibboleth IdP to use Kerberos SSO against Windows Active Directory, but failover to LDAP if user is not logged onto a AD domain member?