NTLM is only allow 1-hop solutions because it is transferring user credentials to the first server – in most cases it is IIS on your SharePoint Front End Server. If you want to get some data from a SharePoint server code (WebPart etc) and ask another server for data (it could be external back-end system you want to integrate to), you can’t pass user context to that 2nd hop. So only impersonation is the option. Kerberos allow to set up trust between servers so you can pass User context to that back-end server and got security-trimmed (or audience-targeted) data for the User.
NTLM is a properitary AuthN protocol invented by Microsoft whereas Kerberos is a standard protocol.
The big difference is how the two protocols handle the authentication: NTLM uses a three-way handshake between the client and server and Kerberos uses a two-way handshake using a ticket granting service (key distribution center). In Kerberos the client must have access to a domain controller (which issues the tickets) whereas in NTLM the client contacts the server which contacts the domain controller.
The performance benefits due to the minimized amount of AuthN traffic between servers, client and DCs.
Also Kerberos are considered to be more secure than NTLM.
.png "Kerberos")
paulgilbride.com 