Going through the IIS errors on the DPs I've noticed that for each file that gets downloaded from the DP there's 2 lines on the IIS log:
2011-10-06 13:45:17 111.111.111.111 HEAD /SMS_DP_SMSPKGD$/XXX00278/disk1/stage/Components/oracle.designer.repman61/10.1.2.0.2/1/DataFiles/ldll.jar - 80 - 222.222.222.222 Microsoft+BITS/7.5 401 2 5 0 2011-10-06 13:45:17 111.111.111.111 HEAD /SMS_DP_SMSPKGD$/XXX00278/disk1/stage/Components/oracle.designer.repman61/10.1.2.0.2/1/DataFiles/ldll.jar - 80 DOMAIN\USERNAME 222.222.222.222 Microsoft+BITS/7.5 200 0 0 0
As you can see from above, the first is an anonymous authentication which fails with authentication failed - because we are not authorizing anonymous authentications.
The second succeeds because it uses credentials of a domain user, which we obviously allow.
As mentioned above, this happens for every single file that is downloaded.
I've looked at this page: http://blogs.technet.com/b/configurationmgr/archive/2010/06/03/solution-you-may-experience-slow-performance-when-using-bits-and-kerberos-authentication-on-configmgr-2007-distribution-points.aspx but even with the changes mentioned there the same thing happens.
At the moment we are using negotiate as the preferred authentication method with NTLM as second.
I've also tried to set authPersistSingleRequest to true as mentioned here: http://msdn.microsoft.com/en-us/library/aa347472.aspx but again nothing changes.
What do I need to do to make the second requests go away (short of enabling anonymous authentication).