By default in IIS7, Windows Authentication was turned off and I had to make a configuration change to activate it. When I did that there was a description for Windows Authentication that explained this should only be used for intranet sites, not public facing websites. When you consider NTLM/Kerberos does not use plain text I am not sure why Microsoft have decided this, all of a sudden.
Can anybody explain?
Best Answer
Windows Authentication when enabled allows the Web Site to be authenticated using NTLM or Kerberos. By default, WIA enables Kerberos starting from Win2K. When you enable WIA basically you expose your AD to the Internet to allow Internet users to authenticate.
Microsoft documentation says you enable Basic + SSL when exposing your application over Internet. Also, check out the articles which explains the changes implemented in Authentication from Windows Server 2008 R2. link text and link text