Domain Joined computers can access Sharepoint inside the network but not outside the network

If a user takes their domain-joined company laptop home they are unable to access our main sharepoint portal.
In Group Policy the site is set to be in the Local Intranet Zone
Also Group Policy sets the user's IE to Automatic Login only in Intranet Zone

Also non domain joined computers can access it if they type in their domainusername & password

The-Page-cant-be-Displayed.png
LVL 8
K BAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LajuanTaylorCommented:
Have you checked the SharePoint site permissions? Maybe there's a VPN user group that needs to be granted access to the SharePoint.

Can work from home users access their Network shares? I'm wondering if remote workers are placed in a different security zone when accessing your Network...
0
K BAuthor Commented:
Thank you for your reply...

On the VPN they CAN get to SharePoint.  It is when they are NOT on the VPN they cannot.
Non-Domain Joined computers off the network can access SharePoint as they are prompted for credentials.  
If they enter the credentials they are able to get to SharePoint.

Here is a fiddler trace of a domain-joined computer off the network:

Fiddler-401-Unauthorized-Outside-Only.pn
0
Rainer JeschorCommented:
Hi,
this looks like a Kerberos issue. Without VPN, no Kerberos ticket can be issued (as the KDC cannot be contacted).
Could you perhaps verify the IIS log to get the sub status code of the request (401.x):
http://girdharbisht.com/girdhar/?cat=30

HTH
Rainer
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

LajuanTaylorCommented:
Have you compared the Network traffic using the browser tools (F12)? Try testing and comparing each scenario VPN, non-domain, and domain-joined.

Typically if it's an authentication issue SharePoint offers up the access denied message... I'm curious to see if there's any failed requests occurring.

Here's instruction on how to use the IE Developer Tools:
https://msdn.microsoft.com/en-us/library/gg589507(v=vs.85).aspx (How to use the tools)
https://msdn.microsoft.com/library/dn255004(v=vs.85).aspx (Anlayze Network Traffic)
0
K BAuthor Commented:
The-Page-cant-be-Displayed.png
0
LajuanTaylorCommented:
@Rainer Jeschor - Duh. I just realized the response headers as "Unauthorized".  Hmmm... I wonder if this could be an issue with how the SharePoint authentication providers are configured.
0
K BAuthor Commented:
Where would I look for that?
0
LajuanTaylorCommented:
The following instructions are for configuring anonymous access in SharePoint 2010, but they should give you idea where to look in Central Administration. There's plenty of screen shots. I would advise just take a peek to verify what the settings are:
http://www.topsharepoint.com/enable-anonymous-access-in-sharepoint-2010

Also, like Rainer Jeschor suggested take a look at the IIS Logs and any failed traces requests if they are enabled on IIS.
0
K BAuthor Commented:
Thank you,
Are you suggesting that I might not have anonymous access configured for the outside and thus the symptoms I have?
0
K BAuthor Commented:
Nevertheless, I am looking forward to checking on it when I am back in front of my computer.  Thanks again.
0
K BAuthor Commented:
Lajuan,

I see that Anonymous is not checked!  
So it sounds as if you are saying that this is required for users on domain-joined laptops that take their laptops home?

Thanks again!

K.B.
0
LajuanTaylorCommented:
@KB - Only if that works for your environment. Here's details from Microsoft regarding considerations when allowing anonymous access:
https://support.office.com/en-au/article/Enable-anonymous-access-3647cdd5-1ab8-48cf-b4ee-d1b652bbabdd

I'll check the settings on an instance of SharePoint Foundation that I'm using as an intranet search server... I'm using standard Windows authentication in a single forest domain. The one thing that I noticed is that my site permissions didn't always get applied to domain groups as expected.

Since I have a small user base, I ended up adding the domain users  individually under SharePoint site permissions versus adding users to a security group in Active Directory.
0
K BAuthor Commented:
So that would cause the symptoms I am seeing?

A SharePoint site that WORKS like this:

1. On the domain network - You are signed right in (credentials are passed to site perfectly) - Kerberos I suspect.
2. On the VPN with a Domain-Joined machine - You are signed right in (credentials are passed to site perfectly) Kerberos again.
3. Off the domain network (on a NON-Domain Joined computer) - prompted for credentials and you are signed in perfectly. NTLM I suspect.

It does NOT WORK like this:
4.  Off the domain network (on a DOMAIN-JOINED computer) - Page can't be displayed
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Non-Domain Joined computers off the network can access SharePoint as they are prompted for credentials.

The site name that is been accessed by your non-domain joined computers and the domain-joined computers, is the same?

To me it sound like more of a DNS issue /site name issue.

Have  you tried the site name used by non-domain computers for domain -joined computers in a different browser like fire fox?

Zac.
0
K BAuthor Commented:
It works if a user changes their Internet Explorer settings...
FROM:
Security-Settings-Local-Intranet-Zone-Si
TO:
AFTER-Security-Settings-Local-Intranet-Z
0
LajuanTaylorCommented:
@K B - I took some screen shots of the IIS Settings in my environment. Please note, the SharePoint installer configured all the IIS sites and permissions. Also, I'm running SharePoint under a domain service account because I'm indexing Network content...

Please note comment next to each screenshot.
2015-05-03-1321-IIS-Configured-By-Instal
2015-05-03-1304-IIS-Application-Pools.pn
2015-05-03-1336-IIS-Top-Level.png
2015-05-03-1349-IIS-Form-Enabled.png
0
K BAuthor Commented:
mine looks pretty similar to that.
0
LajuanTaylorCommented:
I just check my IE11 security settings and user authentication is set to "Automatic logon only in intranet zone"...

Take a look at the following two blog posts that deal with SharePoint security. Maybe there's some small tweak that can be made, which will solve your problem...

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
https://technet.microsoft.com/en-us/library/gg502594(v=office.14).aspx

Account Permissions and Security Settings in SharePoint 2010
http://www.boostsolutions.com/blog/account-permissions-and-security-settings-in-sharepoint-2010/

Clarifying Guidance on SharePoint Security Groups versus Active Directory Domain Services Groups
http://blogs.msdn.com/b/kaevans/archive/2013/05/06/clarifying-guidance-on-sharepoint-security-groups-versus-active-directory-domain-services-groups.aspx 

I also attached a .pdf that provides on Authentication overview for SharePoint 2013
SP2013-authentication.pdf
0
K BAuthor Commented:
I am awaiting a change request in a couple weeks.. I would like to post results..

removing Forms Authentication from IIS as you see both are enabled in the picture (below)
2015-05-26-1043.png
0
K BAuthor Commented:
I haven't forgotten about this question.   Waiting on a change window.
0
LajuanTaylorCommented:
Hopefully, the change resolves your issue.

In my shop we use Citrix and leverage an RDP session from within Citrix. So basically, I'm remotely logging into my workstation and, therefore have access to my approved Network resources.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
K BAuthor Commented:
Im still waiting on this company to allow me to make this change.. I really want to.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.