some quick facts about my environment:
Exchange 2013 deployment that has been made accessible from the internet through an IIS ARR server in the DMZ.
The Exchange 2013 system allows RPC over HTTPS and MAPI over HTTPS access.
Clients are Outlook 2013 SP1 and Outlook 2010 (January 2015 update - MAPI enabled).
MAPI virtual directory is configured with https://mail.domain.com/mapi for internalURL and externalURL as well as "Negotiate" for InternalAuthentication, ExternalAuthentication and IISAuthenticationMethods
Question: When clients start Outlook outside the corporate network it prompts them for their password once. After they supplied the correct password everything is working fine until Outlook is restarted. Now my understanding of "Negotiate" would be that Outlook tries to do Kerberos authentication and when it can't reach a KDC it falls back to NTLM and when falling back to NTLM it takes the users cached credentials from windows sign in and sends hashes of them to the Exchange server for validation which should make the user not having to input a password.
Is my assumption correct? If no - can someone educate me? If yes - why does Outlook prompt for a password then?