Kerberos
Kerberos is a single sign-on (SSO) network authentication protocol designed to allow nodes, communicating over a non-secure network, to prove their identity to one another in a secure manner.
Ntlm
NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.
Secure delegation domain
| Example |
|---|
|
"But as i understand it ntlm disallows the more secure kerberos domain credentials if they re available" from question Windows Authentication not prompting on Firefox or iOS Safari |
|
"Kerberos is however more secure and can handle delegation where the web server can access other resources a file server using the client s identity" from question Windows integrated (NTLM) authentication vs Windows integrated (Kerberos) |
|
"Ntlm is less secure and negotiate lets the client and server use kerberos if both of the client and server support it - if not both of them fallback to ntlm" from question Is using Default​Network​Credentials a security hole? |
|
"But since ntlm is less secure than kerberos why isn t it the other way around" from question Why is kerberos defaulting to NTLM in WCF? |
Better chatty ways
| Example |
|---|
|
"I understand that kerberos has better performance than ntlm" from question Performance difference Kerberos versus NTLM |
|
"In fact in some ways ntlm is better than kerberos" from question Authenticating against Active Directory with Java on Linux |
|
"Kerberos could be considered as a better option than ntlm" from question Windows integrated (NTLM) authentication vs Windows integrated (Kerberos) |
|
"Kerberos is better when it comes to performance;mainly because it is a lot less chatty than ntlm" from question Performance difference Kerberos versus NTLM |
Others
| Example |
|---|
|
Kerberos is complex to set up and even though it generally is considered faster than ntlm this is only true when you reach a certain limit of simultanious users on your site from question Access a SharePoint website from a Java application with Kerberos authentication |
|
Yes negotiate will pick between kerberos and ntlm but this is a one time choice from question If Kerberos Authentication fails,will it always fall back to NTLM? |
|
For a low traffic site the huge tokens that kerberos send across the network actually makes it slower than ntlm from question Access a SharePoint website from a Java application with Kerberos authentication |
|
However kerberos is much more widely supported;as for how you can use ntlm kerberos with http in the framework you are using from question How can I connect to a WCF SOAP web service that uses Windows authentication in pure xml? |
|
When you use kerberos and enable delegation which the domain admin needs to do you can have the original integrated auth credentials flow over the linked server link to the next connection;ntlm does not do this from question Weird setting when linking to Postgresql using Windows authentication or SQL authentication |
|
In a way negotiate is like kerberos but with a default backup of ntlm currently the negotiate security package selects between kerberos and ntlm from question What is NTLM/Authenticate/Negotiate web authentication |