I am using Sharepoint Foundation 2010.
In my environment, each of these run on separate servers (all are Windows 2008R2):
Domain Controller
SharePoint Foundation 2010 (running it's own instance of IIS 7.5)
SQL 2012
Our users authenticate to SharePoint using their active directory credentials. We've set up external content types (ECT's) based on our SQL tables and views and have created lists based on those ECT's. To provide our users with access, we've set up Kerberos authentication.
This is working well for our users when using a computer that is connected to the network. However, most of them need to access the content when they are not in the office or connected through the VPN. So they access the sharepoint site through our extranet zone.
When we try to access the list through the extranet zone, we get the error: Login filed for user 'NT AUTHORITY\ANONYMOUS LOGON'. I think this means that kerberos authentication is not working for users accessing sharepoint through the extranet zone.
Recent reading I've done seems to indicate kerberos does not work for an extranet. If that's the case, I am stuck with moving our SQL database to the Sharepoint server to avoid the double hop? Or is there some configuration piece I'm missing in IIS or Sharepoint that would make it work?