How to setup apache redirect or custom 401 document on Kerberos SSO login failure

In order not to interrupt the Kerberos/SSO authentication process, use the following:

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"

This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.