I'm trying to get my head around Kerberos authentication to troubleshoot some issues I'm having. I've read several articles but haven't found anything useful. As I understand, if IIS is configured for Negotiate,NTLM and a supported client (e.g. IE 6) tries to authenticate, it will try Negotiate to find the KDC first, if it can't then it uses NTLM. Inside the firewall, this seems to work fine. I use NetMon to view the Kerberos traffic and all the SPNs and delegation are set up correctly. I don't get any Kerberos errors and everything connects well, even multiple hops. My issue is outside the firewall, from home, through VPN. When I esablish a VPN connection and connect to the IIS server, all traffic on the server side is using NTLM. So I used Netmon on the client side and no Kerberos traffic at all. Not even the initial Authenticantion request to the KDC. The only authentication traffic I see is HTTP. IE is set for Windows Authentication. When I take this same laptop into work and attach to the LAN, everything works as expected. So, my confusion is what is stopping IE from contacting the KDC and requesting a ticket? If I understand this right, HTTP authenticates with IIS (which is only set for Windows Authentication, and providers are set for Negotiate,NTLM) and the browser prompts for my credentials. After typing my credentials, IIS passes back a header for WWW-Negotiate, which indicates to IE that it should try to search for the KDC to get a TGS ticket. This would be the AS request I would see in NetMon. However, I don't see that initial request. I know IIS is sending the right header, because it works within the firewall. So is IE not receiving this header? I would think IE, once receiving this header, would at least try the initial AS request to the KDC, and perhaps fail because of the VPN, etc. but why isn't IE sending this request at all? I tried forcing Kerberos to use TCP by setting a registry entry found in a KB article. I did this on my client PC (article didn't specify which computer it should be applied on). I rebooted. That didn't make any difference. So, to summarize, even when I am at work, everything works. When I fire up my VPN, the Kerberos ticket from the client doesn't get created, so NTLM is used instead. Update: When I take a closer look at the netmon trace, it is getting error 402.2 from the server, which indicates that the client is trying to negotiate but the server isn't configured for it. As I said before, everything is configured correctly on the server and Kerberos works when not going through the VPN. I read that these error may be caused by a proxy server, but I'm not sure if VPN counts as a proxy server. How can I test that?

Turns out the laptop I was using to VPN wasn't a member of their domain. When I added the laptop to their AD domain, everything worked. Is this possibly a VPN configuration, such that only their computers can VPN into the corp network? I would think users would want to use their own PC at home, school, whatever and not have to be a domain member. I didn't see anything in my reading about Kerberos where the computer you use has to be part of a domain. I understand the user does, but why the computer?

actually IE is using Kerberos even when the computer is not member of a domain. There are though two conditions to this:a) the site must be in Local Intranet sites (applies also to the domain members)b) the login provided must be in the form of @domain.com so that the browser can find the SRV records in DNSondrej.