locked
Using Kerberos to access sharepoint for Direct Access clients RRS feed

  • Question

  • We have recently started to redesign our Sharepoint sites to use external FQDNs instead of the internal names in preparation for adding external users via the UAG portal. We have had to add Kerberos authentication to the Sharepoint site to allow for "double hop" authentication.

    Our current DirectAccess clients are now having issues accessing the sharepoint site via the FQDN. If they use the old internal name (http://files) they access it fine. As soon as they try to use the new url (http://sharepoint.externaldomain.co.uk) they get a password prompt.

    If they are working on the internal network the FQDN works fine (no password prompts).

    I have added the FQDN to the list of DNS Suffixes to use the internal DNS server.

    I'm pretty sure that it could be kerberos related and I have missed a simple step but I am not sure what. Any pointers would be really appreciated.

    Thanks in advance for any help.


    Darren
    Wednesday, August 10, 2011 8:19 AM

Answers

  • Hi Darren,

    I'm pretty sure this will solve your problems, since IE does (for security reasons) only allow "automatic Windows logon" in Intranet Zone.

    -Kai

     

    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:00 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:33 PM
    Wednesday, August 10, 2011 11:43 AM

All replies

  • Hi Darren,

    1.) Do you get a Kerberos ticket for the destination web site when you use DA? (klist.exe will show you the ticket cache)

    2.) Do you get a Kerberos ticket for the destination web site when you're connected to the internal network? (klist.exe again)

    3.) What happens if your DA clients disable "Integrated Windows Authetication" in IE? Does the auth Promt remain?

    4.) Did you assign the new URL to the "Intranet Zone"?

    -Kai

     

    Wednesday, August 10, 2011 8:34 AM
  • Thanks for the quick responce Kai.

    Tested one client and it seems like Option 4 is the problem. As soon as I added the FQDN in to the Intranet Zone in IE the password prompt went away.

    Couple more clients to test and then I'll mark your solution as the answer.

    Thanks again.


    Darren
    Wednesday, August 10, 2011 11:36 AM
  • Hi Darren,

    I'm pretty sure this will solve your problems, since IE does (for security reasons) only allow "automatic Windows logon" in Intranet Zone.

    -Kai

     

    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:00 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:33 PM
    Wednesday, August 10, 2011 11:43 AM