In FreeIPA, when browsing to the web UI, a failed authentication session should redirect to http://<servername>/browserconfig.html. Mine does not.
Maybe I'm over complicating things, but the default FreeIPA Apache ipa.conf appears to disable non-kerberos sessions for the directory.
Following is excerpt of ipa.conf
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms <servername>
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
Unfortunately, this does not work on my server. When I fail authentication, I get a 404 Not Found message instead. I'm not sure why.
If authentication is invoked from Web UI(ipa/ui/index.html#something) then failed attempt should be reported in the login page, there is no automatic redirection to browserconfig.html.
Login page since IPA 4.1 contains link to browserconfig.html in the instruction section on the right.
I'm actually not sure what you mean by "When I fail authentication, I get a 404 Not Found message instead" because you didn't specify the steps you've done(use SSO/form based login/have a old session)...