Windows integrated (NTLM) authentication vs Windows integrated (Kerberos)

Kerberos and NTLM are different algorithms for validating a user's password, without reveiling the password to the server. More info about NTLM and Kerberos at Wikipedia.

If you enable Windows authentication, Kerberos will normally be preferred and if that is not available it will fall back to NTLM.

• NTLM only requires the client to communicate with the web server in order to authenticate. The web server handles the communication with the domain controller. This is an advantage with publically available sites where a DC cannot be reached from the Internet. Unfortunately the cryptography used by NTLM is outdated and can no longer be considered secure. NTLM should only be used over https.
• Kerberos requires the client to get a ticket from the domain controller, which makes it more suitable for Intranet scenarios. Kerberos is however more secure and can handle delegation, where the web server can access other resources (e.g.) a file server, using the client's identity.