The two WWW-Authenticate additions Microsoft makes use of that I am currently aware of are
- NTLM
- Negotiate
If Negotiate is sent down from the server, based on a set of conditions Kerberos will be used
- Intranet Zone
- Accessing the server using a Hostname rather then IP
- Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox
- The Server is not local to the browser
- The client's Kerberos system is authenticated to a domain controller
Then Kerberos will be attempted between the server and the client, if something above is not met, then NTLM will be attempted.
My question is, is there some way for the server to indicate that NTLM should not be sent? I currently handle this by keeping track of the request in the session, and if a NTLM message is received, it disables Kerberos and WWW-Authenticate for the rest of that sessions life.