IE/Edge do not fall back to NTLM if Kerberos not available RRS feed

  • Question

  • We have recently changed our SharePoint on-premise authentication method from NTLM only to Kerberos/NTLM. Since then when we try to login from Internet (no kerberos) IE causes trouble getting a 401 (Unauthorized) due to the fact that it does not fall back to NTLM, but wants to use Kerberos instead. This behaviour only applies to IE and Edge, other browsers like Chrome or Firefox due proper NTLM. The Response Header I see in IE is correct (WWW-Authenticate: Negotiate, NTLM), though. Just that both IE or Edge always only try kerberos which fails fro outside our corporate network or VPN. It doesn't look to me like it owuld be a Firewall or IIS Server issues, since other browsers (non-Microsoft) do properly work with NTLM within the same scenario. BTW, there is a similar situation with Dynamics CRM on-premise, I am not an expert here, but with this when trying to browse the internal URL from WAN (which might not be the right approach, but firewall-wise it is allowed), we get the same issue with IE/Edge. Using internet-faced deployment URL for CRM via ADFS, this works with IE/Edge too from outside corporate network. This seems to be the same cause, these browsers to not fall back to NTLM if Kerberos isn't available.
    After I got my Kerberos Ticket once, until it expires or I purge it, I can work with these browser from outside LAN too.

    IE security Settings is set to Enable Integrated Windows Authenticaton and servers in charge are members of Local Intranet Security zone

    kind regards,


    Wednesday, October 17, 2018 6:23 AM