While configuring Windows SSO (Kerberos) with NFL for Notes client using F5 IdP, it has been observed that it is still showing IdP authentication popup. We don't want that users have to enter an username and password when they open the Notes Client.
Already implemented IWA for F5 IdP as IWA provides Notes/Domino users the ability to login using SAML authentication.
It has been identified that F5 IdP offers both:
WWW-Authenticate: Basic Realm=""
Setting up F5 IdP to use just Negotiated-Kerberos (and dropping basic) the Notes Clients works fine, it doesn't ask for IdP user password. If the Notes browser is given a choice, it's free it pick one so a SAMLBrowser picked the Basic since the server indicates either one is supported.
We are expecting that the Notes client browser should be able to choose Negotiated instead of Basic even if IdP offers both Basic & Negotiated.