Allow name-based strong mappings for certificates

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

This policy setting enables the use of alternative, name-based identifiers to strongly map certificates issued to Active Directory user accounts and specifies which certificates map to which accounts. Without this setting enabled, certificates must meet the “strong mapping” criteria specified in aka.ms/StrongCertMapKB, which generally disallow name-based identifiers. Each mapping specified in this policy must include a policy OID alongside an IssuerSubject and/or a UPN Suffix using the syntax specified below. If a valid mapping for a given certificate cannot be found in this policy, Active Directory will attempt to find a match using the existing strong mapping criteria specified in KB5014754. Certificate mappings which do not conform to either “strong name mapping” criteria (this policy) or the existing “strong mapping” criteria will be considered invalid for authentication. The general policy format and some examples are listed below. This policy only applies to Active Directory user accounts. General syntax ============== <thumbprint>; <list of oids>; <name-match methods> Examples ============== IssuerThumbprint1; oid1, oid2, oid3; UpnSuffix=domain.com IssuerThumbprint2; oid1; UpnSuffix=domain.com, UpnSuffix=other.domain.com, IssuerSubject IssuerThumbprint3; oid1, oid2; IssuerSubject The policy must contain exactly one certificate thumbprint per rule, with each rule represented as a tuple. Thumbprints must be unique and cannot be repeated in multiple rules. The sections of each tuple that are separated by semi-colons must be in the stated order, while the fields separated by commas can be in any order. The rules themselves are separated by newlines.

• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  KDC support for claims, compound authentication and Kerberos armoring

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  KDC support for PKInit Freshness Extension

  At least Windows Server 2016, Windows 10
• Computer
  Provide information about previous logons to client computers

  At least Windows Vista
• Computer
  Request compound authentication

  At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
• Computer
  Use forest search order

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Warning for large Kerberos tickets

  At least Windows Server 2012, Windows 8 or Windows RT