Website with 'Windows Authentication' enabled (e.g. https://intranet.fqdn.something
HP 6730b laptops
Windows XP SP3
Intranet zone: https://intranet.fqdn.something
The clients access the servers through a static IPSEC connection while in the office, and through a Citrix Secure Access Client while 'on the road'.
When the clients try to access the Intranet website while on the road (e.g. at home) when they're not connected through the VPN client, they cannot access the Intranet website:
"Cannot find server" is displayed in IE.
The Evenlog on the client show the reason:
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
"The Security System detected an attempted downgrade attack for server HTTP/intranet.fqdn.somethi
ng. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
The failure reason itself is correct: when the client's not connected through VPN there is no server (=domain controller) to service the logon request. It looks like this behaviour is related to Security Bulletin MS04-011: http://support.microsoft.com/default.aspx/kb/891559/en-us
The problem I'm facing is that IE does not offer an alternative way to authenticate the user (for example a password prompt). When I remove the URL from the Intranet zone in IE, the browser correctly displays a username/password prompt.
The client however likes to have 'single sign-on', which works only when the URL is placed in the Intranet zone.
Thanks in advance for your feedback!