When configuring Windows Authentication in IIS7, you'll encounter three distinct provider options:
- NTLM
- Negotiate
- Negotiate:Kerberos
NTLM Provider
The NTLM (NT LAN Manager) provider uses challenge-response authentication:
// Example web.config setting for NTLM-only
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
Negotiate Provider
The Negotiate provider implements SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism):
- First attempts Kerberos authentication
- Falls back to NTLM if Kerberos fails
- Recommended for most scenarios
Negotiate:Kerberos Provider
This is a strict Kerberos-only implementation that will not fall back to NTLM:
// Example of Kerberos-only configuration
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="Negotiate:Kerberos" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
| Provider | Protocol | Fallback | Best For |
|---|---|---|---|
| NTLM | NTLM only | None | Simple environments without AD |
| Negotiate | Kerberos → NTLM | Yes | Most enterprise environments |
| Negotiate:Kerberos | Kerberos only | No | High-security environments |
For Kerberos to work properly, ensure:
- SPN (Service Principal Name) is properly registered
- Client and server are in the same AD domain or trusted domains
- Time synchronization is accurate (Kerberos is time-sensitive)
// Check SPN registration for a web service
setspn -L DOMAIN\webserver$
Kerberos generally outperforms NTLM for repeated authentication requests since it supports ticket caching. However, the initial authentication is more resource-intensive.
When configuring Windows Authentication in IIS7, you'll encounter three distinct providers:
- NTLM (NT LAN Manager)
- Negotiate
- Negotiate:Kerberos
NTLM is the older authentication protocol that uses a challenge-response mechanism. While widely supported, it has several limitations:
// Example web.config for NTLM-only authentication
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
The Negotiate provider implements SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism), which automatically selects between Kerberos and NTLM:
- Attempts Kerberos first (if properly configured)
- Falls back to NTLM if Kerberos fails
This variation forces Kerberos authentication and fails if Kerberos cannot be used. It's useful when you specifically want to ensure Kerberos is used for its security benefits.
// Example web.config for Negotiate:Kerberos
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate:Kerberos" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
Recommended setup for most environments:
<providers>
<add value="Negotiate" />
<add value="NTLM" />
</providers>
Troubleshooting Kerberos issues:
- Verify SPN registration with:
setspn -L <serviceaccount> - Check delegation settings in Active Directory
- Validate time synchronization between servers
| Provider | Performance | Security |
|---|---|---|
| NTLM | Moderate | Basic |
| Negotiate | Variable | Strong (when Kerberos works) |
| Negotiate:Kerberos | Best (when configured) | Strongest |