When running CA Access Gateway (SPS), when the Kerberos Authentication
fails, the browser doesn't go to the HTML Form Authentication Scheme,
and it reports HTTP code 500.
From the logs, we see that the Authentication Schemes are executed on
the Web Agent 12.52SP1CR11 on Apache 2.4. As per documentation, the
Kerberos Fallback to HTML Forms should be executed on CA Access
Gateway (SPS) only, and CA Access Gateway (SPS) should be version
12.8SP2 (you're running 12.8SP1) (1).
So said, in order for this implementation to work, CA Access Gateway
(SPS) should execute both Authentication Schemes. The chaining should
happen on the CA Access Gateway (SPS). CA Access Gateway (SPS) should
be higher than 12.8SP2 version, and we strongly suggest you to upgrade
to the same version as per Policy Server 12.8SP4.
Policy Server 12.8SP4 on RedHat 7;
CA Access Gateway (SPS) 12.8SP1 on RedHat 7;
Cookie Provider Web Agent 12.52SP1CR11 on Apache 2.4.29 RedHat 7;
Upgrade CA Access Gateway (SPS) to 12.8SP4;
Implement "Kerberos Fallback to Forms Using Authentication Chain" on
CA Access Gateway (SPS) to fix this issue;
Configure Kerberos Fallback to Forms Using Authentication Chain
From Release 12.8.02, you can configure Kerberos Fallback to
form-based authentication schemes as an Authentication Chain.
The Authentication Chain implementation in SiteMinder is limited
to be used with Access Gateway. Ensure that Access Gateway is
configured to support Kerberos.