Also read – 4 types of authentication

What exactly are External USers from an AD perspective?

External Users can be both your own corporate (remote) users, OR external partners. This was confusing to me at first – but even your own corporate users can be external (remote login users)..

How do you authenticate external users?

A particular ZONE of the internal network is exposed via a Web Application Proxy (Reverse Proxy). Usually, this is the DMZ zone.

What about Kerberos? Don’t internal users need to be on the network to get a Kerberos ticket?

External Corporate users still get a Kerberos Ticket, even though they are not on the internal network. This magic is done by the Web Application Proxy.