Microsoft
Microsoft
Microsoft
I am not following your question here. Any of the AIA or CDP paths MUST NOT require authentication to access them. This is by RFC standards and so these URI's should not be affected by NTLM Rely Attacks as the virtual directory should be configured for Windows Authentication - Disabled, and Anonymous Logon - Enabled.
Windows Clients cannot use FILE:// URIs. The LDAP:/// URIs only work for Windows Computers that are joined to the same forest as the CA. Please keep in mind that the triple "/" denotes current forest and is not really useable by Windows Clients in another AD forest or Windows Clients in a WORKGROUP.
geakin is correct it is best to NOT load IIS on any Certification Authority to keep the attack surface as low as possible on Certification Authorities. We would typically tell customers to install all the CA Web Service roles on one or multiple web servers and for each of the Roles use a DNS alias for each role in case later you want to move these roles around to other servers to spread the role, or slowly migrate the roles to new hardware one role at a time.