ADCA and kerberos?

Harman Kardon 121 Reputation points
2021-08-18T10:44:04.863+00:00

Hi!
I was following this guide to mitigate the petitoam issue.
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
But under additional mitigation it says the following:
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.

To do so open IIS Manager UI, set Windows authentication to Negotiate:Kerberos:

If I do that the IIS manager gives an error "kernel mode authentication cannot be used with negotiable 2 providers" So it seems that enabling kernel mode authenticaiton stops the option to have negotiate Kerberos?

Info:
Server 2012 R2

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,306 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,001 questions
0 comments No comments
{count} vote