Why SharePoint 2010 Not Use Kernel Mode Authentication in IIS7?

Kernel mode authentication as it is described in IIS7:

By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.

But if you create a web app in SharePoint 2010 with Windows Authentication, you will find that the web app does not use kernel mode auth by default. Instead, kernel mode auth is turned off explicitly on this web app with useKernelMode=”false”.

So why SharePoint 2010 does not use this IIS7 best practice? There are two main reasons:

  1. There is an incompatibility between IIS7 kernel mode auth and IE8 which is the level 1 browser for SharePoint 2010. IE8 uses a way so-called “pre-authentication” to avoid some authentication round trips. But when working with IIS7 kernel mode auth, the IE8 user may experience separate authentication prompt for every single resource on the first request after IIS recycled. (BugID: Windows 7 628823)
  2. Kernel mode authentication does not support the new Nego2 authentication in IIS7.5.

The first reason will also affect MOSS 2007 if kernel mode auth is in use.