In the document http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb, configuration is shown which allows to configure mod_auth_kerb for Negotiate authentication for issue http://projects.theforeman.org/issues/3312.

However, the fallback configuration that I found working is a little bit cumbersome:

ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'

It would be much better if we could use

ErrorDocument 401 /users/login

However, when the /users/login is served by Foreman's passenger, it does not preserve the 401 status, returning 200 instead. As a result, the Negotiation does not happen at all (and situation is the same when Basic authentication is configured). So that setup cannot be used.

Foreman shouldn't specify status (and force 200) if there already is one set in the response.