If Kerberos Authentication fails,will it always fall back to NTLM?

I have gone through many blogs which 开发者_StackOverfloware telling that if Kerberos fails then it automatically falls back to NTLM.Is it true?

Yes it is, if you configured Kerberos through central administration.
In IIS metabase, you should have "Negociate, NTLM".

I think the client decides what to send and the server simply accepts or rejects. Meaning, based on what the server is asking for, the client may or may not be able to comply. So if the server says Negotiate, the client can send either an NTLM token or a Kerberos token...?

If you are writing a server that needs to authenticate clients via Kerberos, then you will be able to specify if you want to accept or reject the token, or have the client retry using some other scheme... like Basic (not recommended).

If you are writing a client, simply send which ever token you want (NTLM or Kerberos) and the server will tell you what to do next (if anything, server may accept).

Take a look at this open source project http://spnego.sourceforge.net The project implements a SPNEGO Http Servlet Filter as well as a SpnegoHttpURLConnection object.

Actually, this is a pretty big gotcha with Kerberos. Yes, Negotiate will pick between Kerberos and NTLM, but this is a one time choice. It is not failover authentication. So if the Kerberos Authentication fails, the server won't specifically send a new NTLM authentication to the client.