This article explains the different authentication modes of Basic, NTLM, and Kerberos.
Please find the details below which have been taken from the Administrators Guide section: "About IWA Challenge Protocols"
About IWA Challenge Protocols
When configured for IWA, the ProxySG appliance determines which of the following protocols to use to obtain Windows domain login credentials each time it receives a client request that requires authentication:
Kerberos — This is the most secure protocol because it establishes mutual authentication between the client and the server using an encrypted shared key. This protocol requires additional configuration and the appliance will silently downgrade to NTLM if Kerberos is not set up properly or if the client cannot do Kerberos. For more information, see "Preparing for a Kerberos Deployment" on page 1203.
NTLM — Uses an encrypted challenge/response that includes a hash of the password. NTLM requires two trips between the workstation and the appliance, and one trip between the appliance and the Domain Controller (DC). It therefore puts more load on the network than Kerberos, which only requires one trip between the workstation and the appliance, and doesn’t require a trip between the appliance and the DC.
Basic — Prompts the user for a username and password to authenticate the user against the Windows Active Directory.
When the appliance receives a request that requires authentication, it consults the IWA configuration settings you have defined to determine what type of challenge to return to the client. It will try to use the strongest authentication protocol that is configured and, if the browser cannot use that protocol or if it is not configured properly, the appliance will downgrade to the next authentication protocol. For example, if you configure the IWA realm to allow Kerberos and NTLM authentication, but the user agent/browser does not support Kerberos, the appliance will automatically downgrade to NTLM.
IWA authentication realms (with basic credentials) can be used to authenticate administrative users (read only and read/write) to the management console. To ensure that credentials are not sent in clear text, configure the IWA realm to use TLS to secure the communication with the BCAAA server, or in the case of IWA direct, secure the communication from the appliance to the domain.