Does anyone know what the different windows authentication providers for IIS7 means. There are 3 available providers
- NTLM
- Negotiate
- Negotiate:Kerberos
NTLM is pretty obvious I think its NTLM and Negotiate is that Kerberos if so then what is Negotiate:Kerberos ?
What you are seeing is actually a new feature in Windows Server 2008 R2.
NTLM and Negotiate are the same as the were in older versions of IIS. You are correct that Negotiate = Kerberos for the purposes of this discussion - but Negotiate can also fall back to NTLM if it cannot authenticate using Kerberos.
2008 R2 added a new feature in IIS called "Negotiable 2" (called Nego2 a lot in documentation/blogs) which allows new authentication providers like LiveID to work with IIS.
One of the additional benefits of Nego2 is that it allows you to have a Kerberos/Negotiate authentication provider that does not fall back to NTLM if it can't authenticate. That is the new "Negotiate:Kerberos" provider you are seeing.
The downside of this is that to use Nego2 providers (including Negotiate:Kerberos) you must disable kernel-mode authentication, which can decrease performance and cause other problems depending on your configuration.