I've got an Apache2 httpd running in front of a Tomcat, doing authentication via mod_auth_kerb.
When I open the console in Firebug, I see lots of 401's
See screenshot:
Is there a way to avoid this? I guess its causing an additional roundtrip which impacts performance.
No; the extra response and request are necessary for the SPNEGO authentication process, see RFC 4559 for details.
I'd recommend only forcing authentication of the sensitive resources. In your screenshot, it looks like only that very first request should be authenticated; you can probably set
Satisfy Anyon that/resdirectory.