outside of domain authentication issues

I have a Windows 2012 R2 Domain that I'm having some authentication issues with.  The problem is, when users leave the office with their laptops the laptop will not authenticate their local account.  This isn't a cache issue as they can log into their machine, but when they launch any application that requires authentication back to our servers it is not trusted and requires them to re-enter their credentials to use it.

Outlook 2016
SSO Apps  (Acronis Access)
ADFS (any of the adfs apps we use require re-authentication)

Inside the domain, all of these work normally and do not require any separate password but once I disconnect and put my laptop on a hotspot or take it home, it starts prompting for password.  I am looking into it being related to kerberos but i'm not 100% and thought I would reach out to the group to see if anyone else has seen this and know what I should look at.  If this is as expected then it really causes a lot of headaches for some of the apps, acronis access for instance just runs in the background like dropbox and syncs but as soon as they leave the office it stops working since the setting is to use the local computer account.  For Outlook, if I type my password at the prompt, it logs me in just fine.

3 DCs 2012 R2
AD running at 2012 R2 Level
Workstations i'm having issues is Windows 10, currently don't have any windows 7 but i may build one to test.
David DonalsonownerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
I can't speak to individual apps (you'll need to reach out to the developer for that), but overall this is expected behavior.  Cached credentials *only* handle logging into the OS itself.  The way windows has handles SSO for the last 20 years is by via Kerberos tickets, which do have a small shelf-life and have to be issued by a reachable DC, so a cached credential on a client cannot be used to resources that rely on Kerberos seamlessly.

Apps that rely on ADFS are in a similar boat.  While on-premises, a Kerberos ticket can be used to get an OATH/SAML credential from ADFS.  But off-premises that can't happen so you have to authenticate against ADFS before you can reach 3rd-party apps that rely on one of those protocols.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David DonalsonownerAuthor Commented:
That is what I am suspecting which is why i was looking at the Kerberos.  Reason I felt like it was an issue was I don't remember having to enter the Outlook credentials when offsite.  So I imagine that is the negotiate authentication setting on Exchange 2013 that I will have to change to support Mapi over HTTP.
Michael B. SmithManaging ConsultantCommented:
Outlook in cached mode puts credentials into the Windows Credential Cache. That is, it has special code so that the auth info doesn't have to be re-entered every time. If it isn't in cached mode, or this has been disabled, re-auth will be required.
David DonalsonownerAuthor Commented:
Thank you for the assistance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.