Just noticed that with Kerberos authentication, client browser always gets a 401 response first (with WWW-Authenticate: Negotiate header) and in next request actual kerberos token is sent for authentication (handled internally by browser).
For first time its fine, but for every subsequent request why this process is repeated ? Once client knows that server support kerberos why dont client stores a cookie to indicate that every time I need to send auth token ?
I understand that the NTLM protocol is designed like this, but want to understand why ?