I have setup a SP2007 site that uses Kerberos authentication and everything works great internally. When a user trys to access it remotely, they get a "Internet Explorer cannot display the webpage" page. We can fix this by going to IE's Internet options -> Security and then either
-Local Intranet -> Custom Level -> User Authentication - Logon -> and select "Prompt for user name and Password"
- Trusted sites - > Sites -> Advanced -> and then add "https:/www.microsoft.com" and then Close and Custom Level -> User Authentication - Logon -> and select "Prompt for user name and Password"
Both of these will then prompt the remote user for a username and password (using NTLM). BUT if they later try and access the site using our intranet they are again prompted for username and password instead of using Kerberos. This is an issue because it prompts for a username for every MS office file on SP they try to access.
Is there any way to use Group Policy and have one policy while on the intranet and another when not on the intranet? Or is there a better way? Any help or suggestions would be appreciated!
Couple of things to consider:
- Does the site has a Host A DNS entry? From my experience alias does not work well
- Did you setup SPN for the web application/ server?
Check the following blog posts for walk throughs:
Hope this helps!
Yes it does have an A record and Yes the SPN has been set up. Kerberos IS working for people on our local network.
I understand that Kerberos can't authenticate users over the internet, but how do you make it use Kerberos (and not prompt for a user name and password) when a person is on the local network AND THEN when the person ISN'T on the local network to prompt for a user name and password.
Check out this blog.