Policy
Allow name-based strong mappings for certificates
This policy setting enables the use of alternative, name-based identifiers to strongly map certificates issued to Active Directory user accounts and specifies which certificates map to which accounts. Without this setting enabled, certificates must meet the “strong mapping” criteria specified in aka.ms/StrongCertMapKB, which generally disallow name-based identifiers. Each mapping specified in this policy must include a policy OID alongside an IssuerSubject and/or a UPN Suffix using the syntax specified below. If a valid mapping for a given certificate cannot be found in this policy, Active Directory will attempt to find a match using the existing strong mapping criteria specified in KB5014754. Certificate mappings which do not conform to either “strong name mapping” criteria (this policy) or the existing “strong mapping” criteria will be considered invalid for authentication. The general policy format and some examples are listed below. This policy only applies to Active Directory user accounts. General syntax ============== <thumbprint>; <list of oids>; <name-match methods> Examples ============== IssuerThumbprint1; oid1, oid2, oid3; UpnSuffix=domain.com IssuerThumbprint2; oid1; UpnSuffix=domain.com, UpnSuffix=other.domain.com, IssuerSubject IssuerThumbprint3; oid1, oid2; IssuerSubject The policy must contain exactly one certificate thumbprint per rule, with each rule represented as a tuple. Thumbprints must be unique and cannot be repeated in multiple rules. The sections of each tuple that are separated by semi-colons must be in the stated order, while the fields separated by commas can be in any order. The rules themselves are separated by newlines.
2a553d66fe0b StrongNameMatches Registry
Copy registry mappings
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\UseStrongNameMatches (enabled) = 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\UseStrongNameMatches (disabled) = 0HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters\StrongNameMatchesListPolicy notes
This policy setting enables the use of alternative, name-based identifiers to strongly map certificates issued to Active Directory user accounts and specifies which certificates map to which accounts. Without this setting enabled, certificates must meet the “strong mapping” criteria specified in aka.ms/StrongCertMapKB, which generally disallow name-based identifiers. Each mapping specified in this policy must include a policy OID alongside an IssuerSubject and/or a UPN Suffix using the syntax specified below. If a valid mapping for a given certificate cannot be found in this policy, Active Directory will attempt to find a match using the existing strong mapping criteria specified in KB5014754. Certificate mappings which do not conform to either “strong name mapping” criteria (this policy) or the existing “strong mapping” criteria will be considered invalid for authentication. The general policy format and some examples are listed below. This policy only applies to Active Directory user accounts. General syntax ============== <thumbprint>; <list of oids>; <name-match methods> Examples ============== IssuerThumbprint1; oid1, oid2, oid3; UpnSuffix=domain.com IssuerThumbprint2; oid1; UpnSuffix=domain.com, UpnSuffix=other.domain.com, IssuerSubject IssuerThumbprint3; oid1, oid2; IssuerSubject The policy must contain exactly one certificate thumbprint per rule, with each rule represented as a tuple. Thumbprints must be unique and cannot be repeated in multiple rules. The sections of each tuple that are separated by semi-colons must be in the stated order, while the fields separated by commas can be in any order. The rules themselves are separated by newlines.