In PowerShell, which authentication scheme should I use?

When using PowerShell remoting (Using the Invoke-Command cmdlet for example), an authentication scheme is required.

The options are Kerberos, CredSSP, NTLM and Negotiate.

What is the difference between them? What should I use?

Kerberos

Pros:

• Very secure.
• No need to pass implicit credentials.

Cons:

• Requires a SPN record in the executing user’s domain (registered automatically on the computer’s domain only. If it’s two different domain – the SPN needs to be registered manually).
• Does not support second-hop remoting.

CredSSP

Somewhat secure – the credentials are being passed to the remote server and may be captured there.

Pros:

• Supports second-hop remoting.

Cons:

• Must pass implicit credentials.
• Needs special configuration on both the server & client side.

NTLM

Pros:

• No need to pass implicit credentials.

Cons:

• Not very secure.
• Does not support second-hop remoting.

Negotiate

Tries Kerberos. If fails, fallbacks to NTLM. Sometimes secure, sometimes isn’t.

Pros:

• No need to pass implicit credentials.

Cons:

• Does not support second-hop remoting.