IIS7 Windows Authentication Providers

authentication iis-7 windows-server-2008-r2 kerberos ntlm

Does anyone know what the different windows authentication providers for IIS7 means. There are 3 available providers

  1. NTLM
  2. Negotiate
  3. Negotiate:Kerberos

NTLM is pretty obvious I think its NTLM and Negotiate is that Kerberos if so then what is Negotiate:Kerberos ?


Solution 1:

What you are seeing is actually a new feature in Windows Server 2008 R2.

NTLM and Negotiate are the same as the were in older versions of IIS. You are correct that Negotiate = Kerberos for the purposes of this discussion - but Negotiate can also fall back to NTLM if it cannot authenticate using Kerberos.

2008 R2 added a new feature in IIS called "Negotiable 2" (called Nego2 a lot in documentation/blogs) which allows new authentication providers like LiveID to work with IIS.

One of the additional benefits of Nego2 is that it allows you to have a Kerberos/Negotiate authentication provider that does not fall back to NTLM if it can't authenticate. That is the new "Negotiate:Kerberos" provider you are seeing.

The downside of this is that to use Nego2 providers (including Negotiate:Kerberos) you must disable kernel-mode authentication, which can decrease performance and cause other problems depending on your configuration.

Related

Does SCP lock the file it is transfering?
Server load high, CPU idle. NFS the cause?
Can I resize the screen resolution of a remote desktop session?
Idiomatic way to invoke chef-solo?
Add group rwx permissions to a folder
PHP: what is --enable-zend-multibyte configure option for?
"Cannot perform a differential backup for database "myDb", because a current database backup does not exist."
Are different RAID cards setups compatible?
Does Windows have a checksumming filesystem like ZFS or BtrFS?
Simple internet connection uptime monitor
How do I update my /etc/network/interfaces file so the box comes up with ONLY IPv6 self-assigned address?
What's a SSL certificate bundle?