A strange issue popped up recently with one of my internal sites. To be honest I’m not quite sure what changed as this site has not experienced the problem mentioned in the post title until just recently.
The problem is as follows:
- A domain-joined computer is within the company LAN, and accesses intranet.company.com without issue.
- A non-domain joined computer (such as my personal computer) is able to access intranet.company.com externally.
- The the domain-joined computer travels outside the LAN and is now unable to access intranet.company.com.
At first I thought this was a problem with my reverse proxy, but after extensive troubleshooting I had ruled it out. Once I realized domain membership was a factor in connectivity, I knew the network firewall wasn’t the issue either. I suspected it had something to do with Internet Explorer’s categorization and rules around Internet/Intranet/Trusted Sites.
Eventually I stumbled upon this serverfault article which lead me to the solution. I needed to use the AdsUtil.vbs script to set the authentication on the affected directory to “NTLM” instead of the default “Negotiate,NTLM”. As the page mentions, I am using IE8 and IIS 6.
To use that adsutil.vbs, I did the following:
Opened a command prompt, and navigated to:
Then I opened IIS and took note of the site ID for the affected site:
Then I checked on the authentication value with my affected site ID inserted into the command:
cscript adsutil.vbs GET W3SVC/14548430/Root/NTAuthenticationProviders
And after verifying it was the default, I changed it:
cscript adsutil.vbs SET W3SVC/14548430/Root/NTAuthenticationProviders "NTLM"
After this, my domain-joined computers were accessing it properly once again.