By default Windows Integration attempts to authenticate with first Kerberos and then NTLM. With the IE browser, if the company DNS has been added to the trusted intranet site but the client is not on the domain, the page will come up with a cannot display page error. It will work when on network but not when off site.
What Should Happen:
Since the client is not currently on the network, when this page is called it should prompt the user for network credentials.
Issue:
But with IE, instead of prompting, the user gets a page cannot be displayed error because the IIS manager is denying access to the asp page. If the company DNS is removed from the trusted intranet site list then it prompts correctly but disables single sign on the next time that computer is connected to the network or vpn.
Workaround:
Changed the server to force NTLM authentication in IIS. NTLM Authentication seems to work fine, so it is the Kerberos that must be failing.
The workaround was found on this forum post:
http://stackoverflow.com/questions/2563445/why-does-integrated-windows-authentication-fail-when-clients-access-off-the-netwArticle ID: 239, Created On: 1/25/2012, Modified: 1/25/2012