Integrated Authentication is an umbrella that actually consists of several
authentication schemes. The default order for negotiate is Kerberos, then
NTLM.

NTLM is connection-based authentication. That is, there is an initial 3-way
handshake to establish that connection, after which all communication across
that connection is presumed to be authenticated as the initial user. Thus,
its lifetime is limited by the lifetime of that connection. It is this
connection-dependency that makes NTLM not work correctly in Internet
scenarios across proxies that may pool connections.

Kerberos Authentication is something totally different. It is a token-based
authentication scheme where an initial one-way hash is used to determine
authenticity, and thereafter, a token that contains the valid originating
IP, "Freshness", and applicable services (all encrypted) is given to the
authenticated user. The browser hands this token around to servers for
authentication, and the server verifies that the token is not stale, the
user is from the originating IP, and that the applicable services is
rendered by this server -- and if it all checks out, access is granted.
Thus, the lifetime of Kerberos is bound by the "Freshness" (which tends to
be small, like 15 minutes, since otherwise replay attacks can be made
against Kerberos).

As for limits, that is something you empirically derive through testing
because every setup is unique.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
So how does IIS know that the client was already authenticated. Does
it set a cookie? That doesn't sound right.


[quoted text, click to view]