Unauthenticated POST requests

The browser directly receives a 401 response and knows that data is not processed.

The browser re-sends the data after acquiring the Kerberos ticket.

No data is lost.

The browser receives a redirect and thinks the data is processed (but is not).

Data is lost.

POST requests contain data the client wants to send to the server.

The kind and amount of data differ depending on the web application.

For a ticketing web application that could be a comment of a ticket.

An unauthenticated POST request could occur if an user start do make a comment in a ticketing system, go for lunch, the session times out and after lunch the user want to submit his comment.

Multi-Factor Authentication

Only client certificate can be used as 2nd factor.

All 2nd factors are possible.

Other Self-Services or intermediate pages

No interactive elements possible.

Possibility to add Terms of Services, Credential Migrations or other self-services before the user is finally redirected to the target application.