Advanced Settings Dialog Box - Windows Authentication Feature

Applies To: Windows Server 2008 R2

Use the Advanced Settings dialog box to specify whether Windows authentication is performed in Kernel mode, and to configure Extended Protection settings. By default, IIS enables Kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity.

As a best practice, do not disable this setting if you use Kerberos authentication and have a custom identity on the application pool.

Negotiable 2 allows new authentication providers, such as LiveId (LiveSSP) or CardSpace (FedSSP) to work with IIS. Negotiable 2 is an HTTP authentication scheme that uses the NegoEx security protocol to logically extend the SPNEGO protocol. One of the benefits of Negotiable 2 protocol support in IIS is the ability to configure explicit Kerberos authentication that does not use NTLM if the client does not support Kerberos.

Note that you cannot use Negotiable 2-based providers when Kernel-mode authentication is enabled. You must turn off Kernel-mode authentication before you use Negotiable 2-based authentication providers.

See Also