Does a SharePoint WebApp (Authentication Provider) require Anonymous Access to be checked for Negotiate and NTLM authentication (for outside users)?

I have a SharePoint site that works like this:

1. On the domain network - You are signed right in (credentials are passed to site perfectly) - Kerberos I suspect.
2. On the VPN with a Domain-Joined machine - You are signed right in (credentials are passed to site perfectly) Kerberos again.
3. Off the domain network (on a NON-Domain Joined computer) - prompted for credentials and you are signed in perfectly. NTLM I suspect.

It does not work like this:
4.  Off the domain network (on a DOMAIN-JOINED computer) - Page can't be displayed.

Fiddler-401-Unauthorized-Outside-Only-de
Must I enable Anonymous Access as shown here?
http://www.topsharepoint.com/enable-anonymous-access-in-sharepoint-2010

IIS shows it enabled but it is not enabled in Sharepoint

Enable-Anonymous-Access-NOT-CHECKED.png
LVL 9
K BAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you need to enable forms authentication and also check the enable anonymous access
0
K BAuthor Commented:
David,

Thank you very much for your reply!!
Currently, on the web app in question, I have 2 authentication providers that look like this (is this correct?)...

Authentication-Providers-of-Single-Web-A
The Alternate Access Mappings look like this (the only site we are trying to remediate is https://portal.contoso.com - which seems to use the default zone?)

Alternate-Access-Mappings.png

Thank you again for your knowledge!
K.B.
0
Mohit NairSenior AssociateCommented:
You don't need to enable anonymous access either for NTLM or Kerberos. Either have anonymous or one of this. If you enable anonymous it would compromise with the site security and would be more susceptible to attacks or threats if you hold any confidential data in the site.
Ideally best recommendation is to have NTLM for internal access and Forms based authentication for external access.

Please do not mind those 401 fiddler traces.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

K BAuthor Commented:
Thank you for your reply. Do you have any idea why I am unable to access the share point site without modifying the IEs user login authentication type to require username and password from the outside?
0
K BAuthor Commented:
"Prompt* for username and password"
0
Mohit NairSenior AssociateCommented:
Could you please elaborate the question again ? Do you want users to access the site externally without prompting for credentials ?
0
K BAuthor Commented:
only if they are on domain joined computers... it works, except off the network
0
Mohit NairSenior AssociateCommented:
If you need users to access the site on a non domain joined computer without prompting for credentials, then you need to enable anonymous access like in the screenshot you have shown. Also enable at the site level by going to [site actions][site settings][site permissions] under "Users and Groups" click on anonymous access on the ribbon control. Select as Enable entire website.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
K BAuthor Commented:
I am awaiting a change request in a couple weeks.. I would like to post results..

removing Forms Authentication from IIS as you see both are enabled in the picture (below)
2015-05-26-1043.png
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.