Great question! When you spin up a new ASP.NET web app with Windows Authentication and use IIS Express for local development, NTLM is the go-to protocol in almost all standard scenarios.

Let me break it down simply:

• IIS Express runs under your local user account by default, and it doesn't come pre-configured to use Kerberos. Kerberos requires a Service Principal Name (SPN) linked to the server's service account—something that isn't set up automatically for IIS Express during your typical dev workflow.
• NTLM, on the other hand, works right out of the box here. It leverages your existing Windows user credentials without needing any extra SPN setup, which makes it perfect for local testing where your client (your machine) and server (IIS Express) are on the same domain or local network.

If you really wanted to use Kerberos with IIS Express, you could manually register an SPN for your local user account and tweak your app's settings—but that's not the default setup most developers use. For the internal apps you're building with Windows Authentication, NTLM is what you'll be using by default when running on IIS Express.

Quick note: The Windows Authentication IIS module does support both protocols, but IIS Express defaults to NTLM unless you explicitly configure Kerberos.

内容的提问来源于stack exchange，提问作者Ogglas