Policy
Allow name-based strong mappings for certificates
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016
This policy setting enables the use of alternative, name-based identifiers to strongly map certificates issued to Active Directory user accounts and specifies which certificates map to which accounts. Without this setting enabled, certificates must meet the “strong mapping” criteria specified in aka.ms/StrongCertMapKB, which generally disallow name-based identifiers. Each mapping specified in this policy must include a policy OID alongside an IssuerSubject and/or a UPN Suffix using the syntax specified below. If a valid mapping for a given certificate cannot be found in this policy, Active Directory will attempt to find a match using the existing strong mapping criteria specified in KB5014754. Certificate mappings which do not conform to either “strong name mapping” criteria (this policy) or the existing “strong mapping” criteria will be considered invalid for authentication. The general policy format and some examples are listed below. This policy only applies to Active Directory user accounts. General syntax ============== <thumbprint>; <list of oids>; <name-match methods> Examples ============== IssuerThumbprint1; oid1, oid2, oid3; UpnSuffix=domain.com IssuerThumbprint2; oid1; UpnSuffix=domain.com, UpnSuffix=other.domain.com, IssuerSubject IssuerThumbprint3; oid1, oid2; IssuerSubject The policy must contain exactly one certificate thumbprint per rule, with each rule represented as a tuple. Thumbprints must be unique and cannot be repeated in multiple rules. The sections of each tuple that are separated by semi-colons must be in the stated order, while the fields separated by commas can be in any order. The rules themselves are separated by newlines.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\UseStrongNameMatches | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Strong Name Match Rules: ID StrongNameMatchesList | list | HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\StrongNameMatchesList Type REG_MULTI_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerConfigure hash algorithms for certificate logonAt least Windows 11 Version 22H2
- ComputerKDC support for claims, compound authentication and Kerberos armoringAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerKDC support for PKInit Freshness ExtensionAt least Windows Server 2016, Windows 10
- ComputerProvide information about previous logons to client computersAt least Windows Vista
- ComputerRequest compound authenticationAt least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
- ComputerUse forest search orderAt least Windows Server 2008 R2 or Windows 7
- ComputerWarning for large Kerberos ticketsAt least Windows Server 2012, Windows 8 or Windows RT