question

HarmanKardon-4789 avatar image
0 Votes"
HarmanKardon-4789 asked HarmanKardon-4789 edited

ADCA and kerberos?

Hi!
I was following this guide to mitigate the petitoam issue.
https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429
But under additional mitigation it says the following:
Disable NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the "Certificate Authority Web Enrollment" or "Certificate Enrollment Web Service" services.

To do so open IIS Manager UI, set Windows authentication to Negotiate:Kerberos:

If I do that the IIS manager gives an error "kernel mode authentication cannot be used with negotiable 2 providers" So it seems that enabling kernel mode authenticaiton stops the option to have negotiate Kerberos?

Info:
Server 2012 R2

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers