KDC support for PKInit Freshness Extension

Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016

Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied. This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension. If you enable this policy setting, the following options are supported: Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials. If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID.

No explicit registry values are set for enabled or disabled states.

• Computer
  Allow name-based strong mappings for certificates

  At least Windows Server 2019, Windows 10 Version 2004
• Computer
  Configure hash algorithms for certificate logon

  At least Windows 11 Version 22H2
• Computer
  KDC support for claims, compound authentication and Kerberos armoring

  At least Windows Server 2012, Windows 8 or Windows RT
• Computer
  Provide information about previous logons to client computers

  At least Windows Vista
• Computer
  Request compound authentication

  At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1
• Computer
  Use forest search order

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Warning for large Kerberos tickets

  At least Windows Server 2012, Windows 8 or Windows RT