Can someone advise why does it require to uncheck the Enable Kernel-mode authentication option in order to use Kerberos authentication (having Windows authentication Enabled) for the top-level websites in IIS?
Appreciate if you can provide with the video reference or visual diagram as an explanation.
It should have nothing to do with top-level.It is recommended to unchecked the kernel mode authentication only when you are setting custom application pool account and windows authentication failed in this case. Because your custom application pool account will fail to decrypt Kerberos ticket. As lex said, this is by design.
When you need to use custom domain account as application pool and windows authentication failed. You could disable kernel mode authentication or force the windows authentication to decrypt user credential with application pool identity.
Following links explained in which condition we need to disable kernel mode authentication: https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/05/06/kernel-mode-authentication/ https://blogs.msdn.microsoft.com/sudeepg/2009/02/08/iis-7-and-kernel-mode-authentication/
