diff --git a/api/src/main/scala/za/co/absa/loginsvc/rest/Application.scala b/api/src/main/scala/za/co/absa/loginsvc/rest/Application.scala
index 4f0d547..3083252 100644
--- a/api/src/main/scala/za/co/absa/loginsvc/rest/Application.scala
+++ b/api/src/main/scala/za/co/absa/loginsvc/rest/Application.scala
@@ -47,6 +47,11 @@ import org.springframework.context.annotation._
   `type` = SecuritySchemeType.HTTP,
   scheme = "basic"
 )
+@SecurityScheme(
+  name = "negotiate",
+  `type` = SecuritySchemeType.HTTP,
+  scheme = "negotiate"
+)
 @SpringBootApplication()
 @ConfigurationPropertiesScan(Array("za.co.absa.loginsvc.rest.config")) // look for configuration in this package (not related to path in config file)
 class Application extends SpringBootServletInitializer {
diff --git a/api/src/main/scala/za/co/absa/loginsvc/rest/SecurityConfig.scala b/api/src/main/scala/za/co/absa/loginsvc/rest/SecurityConfig.scala
index 687f502..31fa252 100644
--- a/api/src/main/scala/za/co/absa/loginsvc/rest/SecurityConfig.scala
+++ b/api/src/main/scala/za/co/absa/loginsvc/rest/SecurityConfig.scala
@@ -26,6 +26,9 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi
 import za.co.absa.loginsvc.rest.config.provider.AuthConfigProvider
 import za.co.absa.loginsvc.rest.provider.kerberos.KerberosSPNEGOAuthenticationProvider
 
+import javax.servlet.http.{HttpServletRequest, HttpServletResponse}
+import org.springframework.security.core.AuthenticationException
+
 @Configuration
 @EnableWebSecurity
 class SecurityConfig @Autowired()(authConfigsProvider: AuthConfigProvider) {
@@ -58,13 +61,21 @@ class SecurityConfig @Autowired()(authConfigsProvider: AuthConfigProvider) {
     if(ldapConfig != null)
       {
         if(ldapConfig.enableKerberos.isDefined)
-          {
-            val kerberos = new KerberosSPNEGOAuthenticationProvider(ldapConfig)
+        {
+          val kerberos = new KerberosSPNEGOAuthenticationProvider(ldapConfig)
 
-            http.addFilterBefore(
+          http.addFilterBefore(
               kerberos.spnegoAuthenticationProcessingFilter,
               classOf[BasicAuthenticationFilter])
-          }
+              .exceptionHandling()
+              .authenticationEntryPoint((request: HttpServletRequest,
+                                         response: HttpServletResponse,
+                                         authException: AuthenticationException) => {
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED)
+                response.addHeader("WWW-Authenticate", """Basic realm="Realm"""")
+                response.addHeader("WWW-Authenticate", "Negotiate")
+              })
+        }
       }
 
     http.build()
diff --git a/api/src/main/scala/za/co/absa/loginsvc/rest/controller/TokenController.scala b/api/src/main/scala/za/co/absa/loginsvc/rest/controller/TokenController.scala
index bfd53dd..5728615 100644
--- a/api/src/main/scala/za/co/absa/loginsvc/rest/controller/TokenController.scala
+++ b/api/src/main/scala/za/co/absa/loginsvc/rest/controller/TokenController.scala
@@ -71,6 +71,7 @@ class TokenController @Autowired()(jwtService: JWTService) {
   )
   @ResponseStatus(HttpStatus.OK)
   @SecurityRequirement(name = "basicAuth")
+  @SecurityRequirement(name = "negotiate")
   def generateToken(authentication: Authentication, @RequestParam("group-prefixes") groupPrefixes: Optional[String]): CompletableFuture[TokensWrapper] = {
 
     val user: User = authentication.getPrincipal match {