Reauthentication and opening SharePoint documents on an extranet

People find it annoying that when accessing a SharePoint extranet, when you open a file stored in a Document Library, MS-Word will challenge you to enter your username and password again. It happens because the machine is outside the SharePoint domain, and your two desktop applications (Word and Explorer) are running as separate Applications, each of which needs to get its own Authentication token. Note that this doesn't happen over a VPN, which connects your machine as though it were sitting inside the domain.

The solution is found in Internet Security and Acceleration Server (ISA) 2006. If you're making SharePoint available externally you should already be running ISA. The trick is configuring the Listener of that external connector to allow persistent cookies. Go to Listener Properties, Forms, Advanced. Name your cookie and select "Only on Private Computers" for the second field.

It's also good to configure ISA to use Forms-based NTLM authentication, which even has extensions to supoprt third-party authentication providers like RSA. That way you can use most any browser to hit your external SharePoint site, not just IE and Firefox.