Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,180 questions
ADCA and kerberos?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 95%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHK%3C/text%3E%3C/svg%3E)
Harman Kardon
121
Reputation points
Hi!
I was following this guide to mitigate the petitoam issue.
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
But under additional mitigation it says the following:
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.
To do so open IIS Manager UI, set Windows authentication to Negotiate:Kerberos:
If I do that the IIS manager gives an error "kernel mode authentication cannot be used with negotiable 2 providers" So it seems that enabling kernel mode authenticaiton stops the option to have negotiate Kerberos?
Info:
Server 2012 R2