Enter .
Microsoft introduced the StrongCertificateBindingEnforcement registry key (located under HKLM\SYSTEM\CurrentControlSet\Services\Kdc ) to control this behavior. It accepts three values: strongcertificatebindingenforcement
The behavior of your Domain Controllers is governed by the value assigned to HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement : Here is your 3-step migration plan: If you
Enabling this feature (Value 2 ) can break legacy applications or environments where certificates are issued with malformed Subject Alternative Names or where UPNs have changed since the certificate was issued. | | 1 | Compat (Legacy) | The DC tries strong binding first
Here is your 3-step migration plan:
If you use (formerly Azure AD Connect) with Password Hash Sync or Pass-through Authentication , you do NOT need to worry about this setting for cloud authentication.
| Value | Mode | Behavior | | :--- | :--- | :--- | | | Disabled | The DC uses legacy weak mappings (AltSecID) only. Highly insecure. | | 1 | Compat (Legacy) | The DC tries strong binding first. If that fails, it falls back to weak mappings. This is the default for older domain functional levels. | | 2 | Enforced | The DC requires strong binding. Weak mappings are ignored. This is the modern security standard. |