You will need to create a second certificate for the external connector (ie. it does not use the gateway) that is using Windows Authentication unless you have a single wildcard certificate that is valid for each hostname. Kerberos enabled connectors will not work correctly via the Workspace FQDN (Gateway VAs)