Skip To Main Content

Toggle Close Container

Mobile Search

Mobile Main Nav

District Home Link

Mobile Utility

Header Holder

Header Top

District Home Link

Toggle Schools Container

Utility Nav - Desktop

Translate

Desktop Search

Header Bottom

Toggle Menu Container

District Canvas Container

Close District Canvas

District Navs Tabs - Desktop

District Navs Accordions - Mobile

Canvas Icons Nav

Breadcrumb

This setting, introduced by Microsoft, controls how strictly the Domain Controller enforces certificate-based authentication binding. Getting it wrong can break legacy smart card logins; getting it right closes critical elevation-of-privilege vulnerabilities (CVE-2020-17049).

If you’ve been troubleshooting Kerberos authentication issues in a modern Active Directory environment—especially around PKINIT or smart card logins—you’ve likely come across the term StrongCertificateBindingEnforcement .

But where exactly is this registry key located? And what values should you use? Let’s cut through the confusion. On a Domain Controller (where the behavior is enforced), the key lives under: