Good day everyone,
I am a Kerberos expert and I'm very well versed in how to set up Kerberos.
I have a scenario with three servers now where other people are suggesting that Kerberos Authentication will work and I think it will not.
I want to find out from other experts on this forum whether the scenario below can allow the user to access the web site and not having to enter their credentials again.
I have two SharePoint front-end servers in NLB. The URL is: https://extranet.mycompany.com. Users are external to the company, but they are in their own domain called EXTERNAL.LOCAL. This portal is their main interaction with all systems. When they hit the home page the first time, they are prompted for credentials because their computer accounts are not on the EXTERNAL.LOCAL domain.
I have another web application running on one of the SharePoint Front-end servers. This web application is using a host header and is accessed using:https://app.mycompany.com. This runs under a different account than the SharePoint AppPool. On the portal there are links to various pages of the web application. When a user clicks on any of those links the user is always prompted (again) for their username and password.
Other people suggest that you can set up Kerberos in such a way as to remove the second authentication prompt. I disagree, thinking that because it is accessing a different domain name it is seen as a new request, especially because the users are not joined to the EXTERNAL.LOCAL domain. These users are not able to join the EXTERNAL.LOCAL domain so that is out of the question.
I have SPNs set up for the NLB name of SharePoint: HTTP/external.mycompany.com and also for the web application: HTTP/app.mycompany.com.
I have set up constrained delegation from the external SPN to the app SPN and I've also trusted all the servers for delegation.
Unless moving to claims authentication I don't see a way that Kerberos can be set up to avoid that second authentication prompt.
I would like to find out if this is possible and how I would set up Kerberos to do this.
Thanks in advance.
MrJohanL