Does a SharePoint WebApp (Authentication Provider) require Anonymous Access to be checked for Negotiate and NTLM authentication (for outside users)?

I have a SharePoint site that works like this:

1. On the domain network - You are signed right in (credentials are passed to site perfectly) - Kerberos I suspect.
2. On the VPN with a Domain-Joined machine - You are signed right in (credentials are passed to site perfectly) Kerberos again.
3. Off the domain network (on a NON-Domain Joined computer) - prompted for credentials and you are signed in perfectly. NTLM I suspect.

It does not work like this:
4.  Off the domain network (on a DOMAIN-JOINED computer) - Page can't be displayed.

Must I enable Anonymous Access as shown here?

IIS shows it enabled but it is not enabled in Sharepoint

K BAsked:
Who is Participating?
Mohit NairSenior AssociateCommented:
If you need users to access the site on a non domain joined computer without prompting for credentials, then you need to enable anonymous access like in the screenshot you have shown. Also enable at the site level by going to [site actions][site settings][site permissions] under "Users and Groups" click on anonymous access on the ribbon control. Select as Enable entire website.
David Johnson, CD, MVPOwnerCommented:
you need to enable forms authentication and also check the enable anonymous access
K BAuthor Commented:

Thank you very much for your reply!!
Currently, on the web app in question, I have 2 authentication providers that look like this (is this correct?)...

The Alternate Access Mappings look like this (the only site we are trying to remediate is - which seems to use the default zone?)


Thank you again for your knowledge!
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Mohit NairSenior AssociateCommented:
You don't need to enable anonymous access either for NTLM or Kerberos. Either have anonymous or one of this. If you enable anonymous it would compromise with the site security and would be more susceptible to attacks or threats if you hold any confidential data in the site.
Ideally best recommendation is to have NTLM for internal access and Forms based authentication for external access.

Please do not mind those 401 fiddler traces.
K BAuthor Commented:
Thank you for your reply. Do you have any idea why I am unable to access the share point site without modifying the IEs user login authentication type to require username and password from the outside?
K BAuthor Commented:
"Prompt* for username and password"
Mohit NairSenior AssociateCommented:
Could you please elaborate the question again ? Do you want users to access the site externally without prompting for credentials ?
K BAuthor Commented:
only if they are on domain joined computers... it works, except off the network
K BAuthor Commented:
I am awaiting a change request in a couple weeks.. I would like to post results..

removing Forms Authentication from IIS as you see both are enabled in the picture (below)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.