Request compound authentication

Supported OS tags: Windows10, Windows10RT, Windows11, Windows81, WindowsRT81, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration.

This policy has no additional user input fields.

• Computer
  Allow name-based strong mappings for certificates

  At least Windows Server 2019, Windows 10 Version 2004
• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  KDC support for claims, compound authentication and Kerberos armoring

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  KDC support for PKInit Freshness Extension

  At least Windows Server 2016, Windows 10
• Computer
  Provide information about previous logons to client computers

  At least Windows Vista
• Computer
  Use forest search order

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Warning for large Kerberos tickets

  At least Windows Server 2012, Windows 8 or Windows RT