Alright, we figured out that using Windows Integrated security will not send plain text over the wire under certain conditions:
* Anon. Access is disabled
* Basic Auth is disabled
* Client is I.E. 2.0 or above
* IIS is on W2K or above
Negotiation is actually done in two forms:
* NTLM
* Kerberos
However, does anyone know if the 1st IIS is a client to a web server on another 2nd IIS box where the 2nd is using Windows Integrated Security and all the above conditions apply will NTLM and Kerberos still apply?
Do you have any links or sources to back up the claim?