You can configure an optional authentication class that is executed when either kerberos authentication fails or when kerberos authentication has to be skipped.
For information about how to skip the Kerberos authentication for certain IP addresses, see (Optional) Excluding Kerberos Authentication for Specific IP Addresses.
To configure the fall back authentication class, perform the following steps:
Go to Identity Server Cluster > Edit > Local > Methods > (Kerberos Method) > Properties.
Add a new property /value pair with name as FALLBACK_AUTHCLASS and set the property value to be the qualified class name, such as com.novell.nidp.authentication.local.PasswordClass.
The class name value must be same as the value configured in the Java class path of the class at Identity Server Cluster > Edit> Local > Classes> (Authentication class).
NOTE:If your authentication class requires a custom JSP file for seeking credentials, add the property JSP and specify the name of the jsp file. When the JSP property is not specified, Identity Server uses the default login.jsp for seeking the credentials.
If you want to fall back to basic authentication, configure any one of the following properties: Property Name: FALLBACK_AUTHCLASS
Property Value: Basic or com.novell.nidp.authentication.local.BasicClass
IMPORTANT:The property name is case-sensitive.
For example, if you want to fall back to RADIUS, configure the following properties for the kerberos method:
FALLBACK_AUTHCLASS=com.novell.nidp.authentication.local.RadiusClassJSP=radiusloginServer=<<radius IPs with comma separate>>SharedSecret=<<secret string>>Port=<<port>>ReplyTime=7000 (in milli seconds, this is optional)ResendTime=2000 (in milli seconds, this is optional)Retry=5 (this is optional)Password=false
You can configure fall back to other mechanism based on the incoming header. In the kerberos method, add property as NO_NEGO_HEADER_NAME in Property and specify the header that needs to be ignored for the kerberos authentication in value.
For example, you have configure the name as NO_NEGO_HEADER_NAME with the value X-NovINet in the kerberos method properties. Then, if the client comes with header X-NovINet, the kerberos class will not be executed and it will fall back to the name password form by default or to the configured fall back mechanism.