Kerberos Authentication over the Internet

We are currently facing an interesting issue with regard to Kerberos authentication.

The goal is to publish a website over the internet. The authentication needs to be handled from end-to-end by Kerberos in an Active Directory-environment. The client PCs, however, may or may not be domain-joined. The files of the website are located on a file share, which should be accessed using impersonation. The webserver itself is the primary domain controller.

The schematic overview of the landscape is shown below:

The problem:

IIS is set to only allow Negotiate:kerberos Windows Authentication. This will prompt a credential dialog in the browser when the client PC is outside the local network. The domain credentials are not accepted over the internet and the Client's eventviewer shows

The Kerberos client could not locate a domain controller for domain domain.tld: 0xC000005E. Kerberos authentication requires communicating with a domain controller.

This is correct, because the domain's KDC is not accessible over the internet. As far as we understand, Kerberos authentication should be possible with direct client access to the KDC, since the webserver is delegated to authenticate on behalf of the end user.

Our main assumption:

• Kerberos can be used as an authentication method without direct access from the Client PC to the KDC.

The things we have tried and / or are relevant:

• Sub.domain.tld is in Internet Explorer's trusted sites
• Serveral SPN configurations
• Different application pool identities (domain acount, default account, system, network)
• Disable loopbackcheck
• Machines in same time zone / same time
• Enabled delegation for the web server
• Reproduced on a different domain with different machines (this domain had seperate machines for the web server and the domain controller)

As a note, NTLM is not possible because it lacks support for impersonation and basic authentication is not desired because it stores the user credentials on the web server.

References:

• www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx
• www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx
• windowsitpro.com/security/kerberos-delegation-and-troubleshooting
• technet.microsoft.com/en-us/library/cc995228.aspx
• community.dynamics.com/ax/b/axsolutionsmonkey/archive/2009/05/20/kerberos-configuration-for-clients-accessing-role-center-from-outside-of-intranet.aspx
• dirteam.com/sander/2012/09/05/new-features-in-active-directory-domain-services-in-windows-server-2012-part-10-improved-kcd/