For auth-mechanisms like kerberos/NTLM the server returns "401 Unauthorized" with a WWW-Authenticate: Negotiate if a user wants to access a protected ressource and is not already authenticated. Then a browser may issue a request again with some credentials (e.g. Authorization: Negotiate <credentials>).

Currently we check if a resource is protected and do a redirect to the login page (even without http 401). There a user can enter his credentials...

It would be better if wouldn't do the redirect. Instead we should render the login page and return a HTTP 401 with some optional HTTP auth challenges (like Negotiate). Then a login can happen without user interaction. To do so we should add an event for authentication plugins. Its name could be onUserChallengeAuthentication.