diff --git a/aspnetcore/release-notes/aspnetcore-9.0.md b/aspnetcore/release-notes/aspnetcore-9.0.md
index 0e3c5c14ebae..12e4d3ab839f 100644
--- a/aspnetcore/release-notes/aspnetcore-9.0.md
+++ b/aspnetcore/release-notes/aspnetcore-9.0.md
@@ -36,6 +36,10 @@ This section describes new features for minimal APIs.
 
 This section describes new features for authentication and authorization.
 
+[!INCLUDE[](~/release-notes/aspnetcore-9/includes/oidccustomparms.md)]
+
+[!INCLUDE[](~/release-notes/aspnetcore-9/includes/httpsysextendedauth.md)]
+
 ## Miscellaneous
 
 The following sections describe miscellaneous new features.
diff --git a/aspnetcore/release-notes/aspnetcore-9/includes/httpsysextendedauth.md b/aspnetcore/release-notes/aspnetcore-9/includes/httpsysextendedauth.md
new file mode 100644
index 000000000000..2d5577081c66
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-9/includes/httpsysextendedauth.md
@@ -0,0 +1,12 @@
+### Configure HTTP.sys extended authentication flags
+
+You can now configure the [`HTTP_AUTH_EX_FLAG_ENABLE_KERBEROS_CREDENTIAL_CACHING`](/windows/win32/api/http/ns-http-http_server_authentication_info) and [`HTTP_AUTH_EX_FLAG_CAPTURE_CREDENTIAL`](/windows/win32/api/http/ns-http-http_server_authentication_info) HTTP.sys flags by using the new `EnableKerberosCredentialCaching` and `CaptureCredentials` properties on the HTTP.sys <xref:Microsoft.AspNetCore.Server.HttpSys.AuthenticationManager> to optimize how Windows authentication is handled. For example:
+
+```csharp
+webBuilder.UseHttpSys(options =>
+{
+    options.Authentication.Schemes = AuthenticationSchemes.Negotiate;
+    options.Authentication.EnableKerberosCredentialCaching = true;
+    options.Authentication.CaptureCredentials = true;
+});
+```
diff --git a/aspnetcore/release-notes/aspnetcore-9/includes/oidccustomparms.md b/aspnetcore/release-notes/aspnetcore-9/includes/oidccustomparms.md
new file mode 100644
index 000000000000..ee22b6560684
--- /dev/null
+++ b/aspnetcore/release-notes/aspnetcore-9/includes/oidccustomparms.md
@@ -0,0 +1,25 @@
+### OIDC and OAuth Parameter Customization
+
+The OAuth and OIDC authentication handlers now have an `AdditionalAuthorizationParameters` option to make it easier to customize authorization message parameters that are usually included as part of the redirect query string. In .NET 8 and earlier, this requires a custom <xref:Microsoft.AspNetCore.Authentication.WsFederation.WsFederationEvents.OnRedirectToIdentityProvider> callback or overridden <xref:Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler%601.BuildChallengeUrl%2A> method in a custom handler. Here's an example of .NET 8 code:
+
+```csharp
+builder.Services.AddAuthentication().AddOpenIdConnect(options =>
+{
+    options.Events.OnRedirectToIdentityProvider = context =>
+    {
+        context.ProtocolMessage.SetParameter("prompt", "login");
+        context.ProtocolMessage.SetParameter("audience", "https://api.example.com");
+        return Task.CompletedTask;
+    };
+});
+```
+
+The preceding example can now be simplified to the following code:
+
+```csharp
+builder.Services.AddAuthentication().AddOpenIdConnect(options =>
+{
+    options.AdditionalAuthorizationParameters.Add("prompt", "login");
+    options.AdditionalAuthorizationParameters.Add("audience", "https://api.example.com");
+});
+```