Kerberos vs NTLM

what is actually stored in AD for user password is either a hash of the password(LM/NTLM/NTLMv2) or a key derived via a combination of (username + salt (UPNsuffix) + password) -> hashing algorithm = result(Kerberos),


The subject of Kerberos authentication is large—entire books have been written about it—but here's a quick explanation of why Kerberos works better than NT LAN Manager (NTLM). When you configure the user account and the server to be trusted for delegation and you use Kerberos, any server component that the user invokes enjoys full network access (which is called delagation). If the client is logged on to a domain, the browser never prompts the user for credentials; it simply uses the user's default logon credentials.

If your domain doesn't use Active Directory (AD) or if the user's browser doesn't support Kerberos, Integrated Windows authentication falls back to NTLM authentication (which was available in IIS 4.0). With NTLM authentication, however, server components have only limited network access.

When you specify Integrated Windows authentication on the Administration Web Site, determining whether the connection was authenticated with Kerberos or NTLM is difficult. The Microsoft article "Determining the Authentication Method with Internet Information Services 5.0" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q241835) provides information to help you determine the method in IIS 5.0.