Historically, DCs performed this mapping using (also known as AltSecID ). They would look at the certificate’s Subject field or Subject Alternative Name (SAN) and say, "Oh, you claim to be [email protected]? You must be that user."
The problem is the fallback . If the DC can't find the strong binding (perhaps due to an old certificate or a misconfigured attribute), it happily accepts the weak mapping. Attackers specifically craft their exploits to trigger that fallback path, bypassing strong binding entirely. strongcertificatebindingenforcement
If the crypto doesn’t match the claimed identity, authentication fails. Microsoft introduced the StrongCertificateBindingEnforcement registry key (located under HKLM\SYSTEM\CurrentControlSet\Services\Kdc ) to control this behavior. It accepts three values: Historically, DCs performed this mapping using (also known
Hardening Windows Authentication: A Deep Dive into StrongCertificateBindingEnforcement If the DC can't find the strong binding
| Value | Mode | Behavior | | :--- | :--- | :--- | | | Disabled | The DC uses legacy weak mappings (AltSecID) only. Highly insecure. | | 1 | Compat (Legacy) | The DC tries strong binding first. If that fails, it falls back to weak mappings. This is the default for older domain functional levels. | | 2 | Enforced | The DC requires strong binding. Weak mappings are ignored. This is the modern security standard. | Why "Compat" Mode (1) is Dangerous Most environments currently sit at Level 1 (Compat) . At first glance, this seems safe—it tries to be secure.
Ensure you are on Level 1. Then, enable Audit Mode for Certificate Mapping via Group Policy: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policies > Account Logon > Audit Kerberos Authentication Service
Why you need to move from "Audit" to "Enforced" to stop Kerberos relay attacks.