adfs.exe doesn't support authenticating to ADFS instance with Kerberos?

[award-54]

Hi all, we've found that we're unable to authenticate with the AdfsCredentialsProvider to our ADFS environment while NTLM is disabled. Our standard authentication method is Kerberos to ADFS, and we've disabled NTLM due to its deprecation in June of 2024 (as well as its range of vulnerabilites). https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features

While NTLM is disabled on the machine running the provider, we see the following audit logs in Windows' NTLM log (trimmed):

NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked.
Target server: HTTP/<idp_url>
...
Name of client process: \adfs3396089304566582679.exe
...

I'm able to reproduce the same behavior with a sample app (relevant small snippet below) - we suspect the AdfsCredentialProvider's adfs.exe does something similar

using var handler = new HttpClientHandler()
{
AllowAutoRedirect = false,
UseDefaultCredentials = !ntlmOnly
};

if (ntlmOnly)
{
var cache = new CredentialCache();
var baseUri = new Uri(initialUrl);
cache.Add(baseUri, "NTLM", CredentialCache.DefaultNetworkCredentials);
handler.Credentials = cache;
}

using var client = new HttpClient(handler);

Can this be updated to support Kerberos?