This parameter controls the enforcement of Windows Certificate bindings as outlined in KB5014754: Certificate-based authentication changes on Windows domain controllers , when performing certificate based kerberos authentication (PKINIT) The possible values are: none No validation of the certificate mappings is performed compatibility Weak certificate mappings are permitted. In compatibility mode for WEAK mappings the date the certificate was issued must be after the date that the user was created. Unless has a value. In that case the certificate may have been issued no more than that number of minutes before the user was created. full Only strong certificate mappings are permitted. This is the default. Certificate mappings are configured in the users altSecurityIdentities attribute and may be any of: X509 Issuer and subject Example: "X509:<I>IssuerName<S>SubjectName" The values provided for the issuer name and subject name must match those in the user's certificate exactly. WEAK X509 Subject only Example: "X509:<S>SubjectName" The value provided for the issuer subject name must match that in the user's certificate exactly. WEAK X509 RFC822 Example: "X509:<RFC822>test@example.com" Email address WEAK X509 Issuer and serial number Example: "X509:<I>IssuerName<SR>123456789" Certificate issuer and serial number STRONG X509 Subject Key Identifier Example: "<SKI>01234xxxxx" STRONG X509 public key SHA1 Example: "X509:<SHA1-PUKEY>1234567890abcdef" The SHA1 hash of the certificate's public key STRONG Certificate mappings may also take the form of a certificate extension (extension 1.3.6.1.4.1.311.25.2) that contains the user's SID. This is considered a STRONG mapping. full