Tristan's got a post explaining how to determine whether your client's using NTLM or Kerberos when authenticating to your web application. Is there a better way than looking at the size of the request? I think so (but that's just my opinion).

The first option is to simply use a capture tool (such as Wireshark aka Ethereal) that is aware of the differences between Kerberos and NTLM.

The first screenshot shows Kerberos authentication in action. The middle pane shows the request by the client to the server when authenticating using Kerberos authentication. You can see the Negotiate (1) blob. But Ethereal allows us to decompose this blob, and you can clearly see the Kerberos v5 is being used (2), the Kerberos blog (3) and the Kerberos Authenticator and Ticket (4).

Kerberos Authentication Packet

In comparison, the second screenshot shows NTLM being used. As you can see, the Negotiate blob is still present (1), but the decomposition is very different. We can clearly see the NTLM hash here (2).

NTLM Authentication Packet

The second (and possibly easier way) to determine what your client is using to authenticate, is simply to look in the Windows Security Event Log. In the next screenshot, we see a network logon event being logged that shows Kerberos Authentication being used (this logon event corresponds to the Kerberos packet seen in Ethereal above).

Kerberos Logon Event

In this second screenshot, we see NTLM being used. Couldn't be easier!

NTLM Logon Event