Disable Kernel-mode authentication

If the IIS application pool serving the web site is running under a machine account, this chapter can be skipped.

The IIS Kernel-mode authentication feature has been introduced in IIS 7.0 to speed up the authentication process. It must be disabled for web sites served by service users.

Chapter-related warnings

HIGH – Kerberos authentication fails

Disable Kernel-mode authentication for IIS web sites served by service users.
There is no action required for IIS versions older than 7.0.

Chapter content

11.7.6.3.2.2.1.1.1. Disable Kernel-mode authentication in IIS 10.0

11.7.6.3.2.2.1.1.2. Disable Kernel-mode authentication in IIS 8.5

11.7.6.3.2.2.1.1.3. Disable Kernel-mode authentication in IIS 7.5

Further information and links

(Microsoft) Checklist for Kerberos authentication with IIS