Although SharePoint offers multiple authentication options and authentication zones, the two most common choices for enterprise implementations in intranet scenarios are NTLM and Kerberos. Both of these protocols are used with Integrated Windows authentication in a classic challenge/response scheme. NTLM relies on IIS generating a token with a challenge, sending it to the client, the client responding with a token, and a domain controller validating that response. NTLM requires user names and passwords to be encrypted before they are transmitted, and also requires re-authentication (a new token) when accessing a new network resource. Kerberos, on the other hand, relies on a ticketing system where a client and server access a trusted authority called a Key Distribution Center (KDC), which responds to client requests and grants tickets that the client can use to access network resources. Kerberos does not require re-authentication for accessing multiple resources.
Read the whole article here.