I am running a MOSS 2007 small farm with two load-balanced WFE servers and one SQL 2005 server. I have set up kerberos authentication
1) selected the kerberos options during install and web application creation
2) registered the SPN for my WFE computers and accounts running my application pools
3) set my WFE computers and application pool accounts as trusted for delegation in AD
4) set up the certificate on my WFEs
5) modified the IIS metabase line <IISWebServer> ...<ntauthentication="ntlm"> to <IISWebServer> ...<ntauthentication="negotiate,ntlm">
However when I go to the security tab in the Event Viewer on my web front end, it still says "NTLM" as the authentication method for many SharePoint events. Could this be correct?
Secondly, each time I open up a browser and navigate to the SharePoint site for the first time, it prompts for a user name and password. Is this the correct behavior for kerberos? Is it not extremely inconvenient for users to be prompted for this each time they open a browser window and navigate to SharePoint? I would like to get rid of ths if possible.