Hello @Duncan ,
Thank you for posting here.
Here are the answers for your references.
I have only installed 'Certificate Authority Web Enrollment', not the 'Certificate Enrollment Web Service'. I cannot find a web.config there. Is web.config editing only necessary if you have installed 'Certificate Enrollment Web Service'?
A1: Yes, from the article, we can see it is.
What is correct? To disable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required' while using only 'Negotiate: Kerberos' ?
A2: However, if you can’t disable NTLM outright then we recommend enabling EPA on AD CS services. This is achieved by:
set enable 'Enable Kernel-mode authentication' and set Extended Protection to 'Required'.
Or you can remove 'Certificate Authority Web Enrollment' role if you do not need it.
Hope the information above is helpful to you.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.