External Users must retry several times to connect to SharePoint

Seems like this issue comes up pretty often. Here’s the symptoms:
You have an intranet (maybe even an extranet) SharePoint site. All users on the LAN (or domain) are able to connect and view the site with no issues. External users (users not on the LAN but have domain accounts) keep getting a login box. Their success is intermittent (works sometimes and other times it never works).
To trace down the issue, you’ll have to enable auditing on the SharePoint front-end. If you enable logon auditing, you’ll see strange errors related to NTLM. What caused this in my case?
Our domain was setup to Accept NTLMv2 only/Refuse LM & NTLM (Network Security: LAN Manager authentication level under Local Policies -> Security Options). A group policy enforced this upon all the SharePoint servers as well. It isn’t a problem for computers on the LAN because they also have the same group policy.
The external user was using a public computer or one that wasn’t on the same domain as the SharePoint server so whent he login box appeared they had to type in: DOMAIN\UserName and their password.
The fix is to change the Local Security Policy on the client machine. We examined this and turns out they had a Group Policy set for Send LM & NTLM Only. Changing this to “Send NTLMv2” would resolve the issue and still allow for their legacy applications to work (Domain Controllers accept LM, NTLM and NTLMv2 in this setting).
Its a best practice to configure your farm for Kerberos anyway. If the Domain Administrators had allowed that, things would work much smoother. However, that was not possible.
6 comments… add one

Leave a Reply

%d bloggers like this: