Use the Advanced Settings dialog box to specify whether Windows authentication is performed in Kernel mode, and to configure Extended Protection settings. By default, IIS enables Kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity.

As a best practice, do not disable this setting if you use Kerberos authentication and have a custom identity on the application pool.

Negotiable 2 allows new authentication providers, such as LiveId (LiveSSP) or CardSpace (FedSSP) to work with IIS. Negotiable 2 is an HTTP authentication scheme that uses the NegoEx security protocol to logically extend the SPNEGO protocol. One of the benefits of Negotiable 2 protocol support in IIS is the ability to configure explicit Kerberos authentication that does not use NTLM if the client does not support Kerberos.

Note that you cannot use Negotiable 2-based providers when Kernel-mode authentication is enabled. You must turn off Kernel-mode authentication before you use Negotiable 2-based authentication providers.

See Also