Does anyone know what the different windows authentication providers for IIS7 means. There are 3 available providers

  1. NTLM
  2. Negotiate
  3. Negotiate:Kerberos

NTLM is pretty obvious I think its NTLM and Negotiate is that Kerberos if so then what is Negotiate:Kerberos ?


Solution 1:

What you are seeing is actually a new feature in Windows Server 2008 R2.

NTLM and Negotiate are the same as the were in older versions of IIS. You are correct that Negotiate = Kerberos for the purposes of this discussion - but Negotiate can also fall back to NTLM if it cannot authenticate using Kerberos.

2008 R2 added a new feature in IIS called "Negotiable 2" (called Nego2 a lot in documentation/blogs) which allows new authentication providers like LiveID to work with IIS.

One of the additional benefits of Nego2 is that it allows you to have a Kerberos/Negotiate authentication provider that does not fall back to NTLM if it can't authenticate. That is the new "Negotiate:Kerberos" provider you are seeing.

The downside of this is that to use Nego2 providers (including Negotiate:Kerberos) you must disable kernel-mode authentication, which can decrease performance and cause other problems depending on your configuration.