We have setup Kerberos in our dev and QA portals and it works fine. However before we configured it in our production portal we found a problem. Our production portal is available for internal and external users.
For internal users the functionality works fine. In fact it substantially reduces logon times when accessing ADS. I guess because the userid does not need to be searched for.
However for external users there is a problem. If the external user has "Enable Integrated Windows Authentication" checked and is not a member of the NT domain, then the user will get a popup requiring a domain logon. The only way to get past it (because the user does not have an ADS account) is to click 'Cancel'. This is only true for IE. Firefox fails the authentication challenge silently and falls back to the basic authentication properly.
Does anyone know a way to change this behavior?