Had one of the Oakton team start work at the client I’m currently based at and spent the better part of 3 hours getting IE working on his machine so it could browse the SharePoint sites.
Here is his setup:
- Workstation Computer running IE8, Win 7 (We upgraded to IE9 as well, no change)
- Workstation Computer is not a Member of the domain (it’s a member of the Oakton domain, just not the clients domain)
- Internet Explorer on the Workstation Computer has “Enable Integrated Authentication” TICKED in the Browser’s advanced settings
- Client uses an ISA proxy server for Network users
- Site was set up to (correctly) use Kerberos Authentication (SPN’s configured and tested)
Every time we tried to load the internal site, we immediately got the browser page “Page Cannot be Displayed” – There was not even a delay while the query died – it was an immediate page load. Browsing Google, etc seemed to be a bit flaky but it eventually worked after the second refresh.
Essentially there appears to be a problem with the way non domain member devices running IE7, with Windows Integrated Authentication enabled and Windows Vista / 7 works with Kerberos Sites on Windows 2008 and later servers (it may also affect 2003 – not sure) – The temporary workaround is to disable the Authentication option in IE’s advanced settings and restart the browser:
This forces the browser to use NTLM Authentication and so it does not care which domain you belong to, just as long as you can authenticate to the service using valid credentials. If you find this works (unticking the Auth Credentials option) then it may be worth going to your Security Policy (start – run – GPEDIT.MSC) and changing the “Network Security: LAN Manager Authentication Level” setting to “Send LM & NTLM Responses” to the one shown:
This will avoid sending the NTLMv2 responses (which the Proxy Server understands) and then having authentication fail because you’re logged into a non-domain-registered device. It will also start prompting you to log into the authenticated intranet sites again.
Note: This may also affect devices like smartphones and tablet devices, as well as Workgroup-style network setups… basically any configuration running a modern SOE and leveraging ISA server with devices that are not Domain members.
http://social.msdn.microsoft.com/Forums/en-IE/iewebdevelopment/thread/9e56fa7c-e0c1-4930-9612-0ad5436ad9f3 – clues in here led me down the path of enlightenment.