Policy

Always send compound authentication first

This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.

Policy
Pack Microsoft Windows
Category System / Kerberos
Policy ID a6dc03b4785c
Internal name AlwaysSendCompoundId

Registry

Copy registry mappings

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\AlwaysSendCompoundId (enabled) = 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\AlwaysSendCompoundId (disabled) = 0

Policy notes

This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.

Related policies

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logonConfigure hash algorithms for certificate logonDefine host name-to-Kerberos realm mappingsDefine interoperable Kerberos V5 realm settingsDisable revocation checking for the SSL certificate of KDC proxy serversEnable Delegated Managed Service Account logonsFail authentication requests when Kerberos armoring is not available