First of all are negotiate, ntlm and kerberos three different implementation of windows authentication?
IE sends this:
Authorization: Negotiate YIIFswYGKwYB ...
Firefox sends this:
Authorization: NTLM TlRMTVNTUAADAA ...
Do they use different protocols? If so how to configure iis 7.0 so that only ntlm would be used?
p.s. iis is configured to use windows auth, but both browsers throw login forms and login only succeeds for firefox.
Technically, no.
Practically, yes.
Technically Kerberos is the technological successor to NTLM. But you can use either to authenticate against a Windows domain/server. If you select negotiate, your browser will attempt to authenticate in whatever way is successful, which is sometimes NTLM.
Heads up...
Safari on iOS (from 7 to 7.0.2, and then 8 as well, it seems) has troubles with Kerberos, so if you have to support iPhones/iPads, disable Negotiate and only have NTLM.