Here is what I have so far. I have WIndows Server 2003 SP2 with IIS 6 installed. I have a one page site with only Integrated Authentication enabled. The SPNs are set correctly in Active Directory. I can log in all day long in IE if I use http://<NEtBIOS> . I can log in fine if I put *.domain.com in my Local Intranet Zone or my Trusted Sites Zone. If I browse to the site with a non-domain machine and attempt to login with my user account which now has a Kerberos ticket on the IIS server because of my Authentication session earlier in the day, I can attempt to login with my UPN even though my current machine does not have a Kerberos ticket (I have used KerbTray to purge my Kerberos cache to make sure) and I can log in successfully if I give the correct password. Shouldn't Kerberos fail if I don't have a ticket on the client? If I type in a valid domain UPN that does not have a Kerberos ticket on the server I receive a 500 error and not a 401 error as I would expect. If I type in an NTLM username then I am fine, I am either logged in , re-prompted or shown a 401.X error. If I type in a non-valid domain UPN such as userdoesntexist@domain.com , or a non-valid username - anything@invaliddomain.com I am re-prompted or a 401.X page is served.
The documentation I have read states that if Kerberos authentication fails it will fall back to NTLM. It does not appear to be falling back to NTLM and prompting me for credentials or presenting a 401 error. It just errors out with a 500 page. Well, it appears that NTLM does not know what to do with a UPN so the server displays a 500 error and hopes I will get it right the next time I browse to the site. Maybe I should edit the 500 page to state, "please enter in your username as domain\username."
Does anyone know why this is happening?