Strongcertificatebindingenforcement _hot_ May 2026
Why you need to move from "Audit" to "Enforced" to stop Kerberos relay attacks.
For years, most admins ignored it. But in 2024/2025, ignoring this setting is a security risk you cannot afford to take. strongcertificatebindingenforcement
Here is your 3-step migration plan:
An attacker with a valid certificate (even one belonging to a different user) could alter the Subject or SAN before sending it to the DC. If the weak mapping didn't enforce a cryptographic check, the DC might accept the forged identity. Why you need to move from "Audit" to
In this post, we’ll break down what certificate binding is, how attackers bypass it, and why StrongCertificateBindingEnforcement = 2 (Enforced) is the new standard for authentication hardening. Windows uses a protocol called PKINIT to allow smart cards (or Windows Hello for Business) to authenticate to Active Directory. When a certificate is presented, the Domain Controller (DC) extracts the user’s identity from the certificate and maps it to an Active Directory account. Here is your 3-step migration plan: An attacker
| Value | Mode | Behavior | | :--- | :--- | :--- | | | Disabled | The DC uses legacy weak mappings (AltSecID) only. Highly insecure. | | 1 | Compat (Legacy) | The DC tries strong binding first. If that fails, it falls back to weak mappings. This is the default for older domain functional levels. | | 2 | Enforced | The DC requires strong binding. Weak mappings are ignored. This is the modern security standard. | Why "Compat" Mode (1) is Dangerous Most environments currently sit at Level 1 (Compat) . At first glance, this seems safe—it tries to be secure.
In security, "fallback to insecure" is just "insecure with extra steps." Before you flip the switch to Level 2 across all your DCs, you need to audit your environment. Switching to Enforced will break authentication for any user or device that relies on weak certificate mapping.