Share via

KB5014754 Certificate based authentication changes on DC's

Anonymous
2025-01-28T18:33:23+00:00

In my small environment of less than 100 users, I'm using windows server 2022 as domain controllers. These are patched to January 2025 updates.

I do not see strongcertificatebindingenforcement key in the registry. I would expect that key to show up at \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.

My objective is to check for errors and based on any errors, either set the binding key to compatibility mode or enforcement - allowing me to remediate as necessary.

In my environment, I do not use certificate based authentication - passwords only. Except for remote server and certificate for the RDS does need attention.

I tried to install the May 10, 2022 update KB5103944 thinking that installing this update may install the certificate binding registry key(s). However, I got a message that this update is not applicable to my system.

I read another post where OP created the keys manually. Is that what needs to be done i.e. keys created manually ? That would seem odd to do that.

What am I missing here? Any guidance highly appreciated.

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-29T07:17:32+00:00

    Hello

    Thank you for posting in Microsoft Community.

    It looks like you are trying to enable or troubleshoot the Certificate-Based Authentication (CBA) changes introduced by KB5014754 and subsequent updates related to strong certificate binding enforcement on your Windows Server 2022 domain controllers. You're looking to check for errors and potentially enable the strongcertificatebindingenforcement key, but the registry key isn't present on your system. Let me walk you through the details and help clarify your situation.

    1. Overview of KB5014754 and Strong Certificate Binding Enforcement

    The KB5014754 update introduced a strong certificate binding enforcement feature to help mitigate security risks by ensuring that certificates used for Kerberos authentication are appropriately bound to the system and not tampered with. The update provides a registry key strongcertificatebindingenforcement to control this behavior.

    The key you are looking for (strongcertificatebindingenforcement) is typically located at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

    This key controls whether strong certificate binding enforcement is enabled or not.

    Default: The key is not present if you have not applied updates that require it.

    When enabled: This ensures stricter certificate bindings for authentication.

    1. Why the Key Might Be Missing

    The key strongcertificatebindingenforcement does not appear unless you are using features such as certificate-based authentication (CBA) or Kerberos with certificates. Since your environment is using password-based authentication and you do not rely on certificate-based authentication (aside from your RDS certificate), the key is likely not created automatically.

    Moreover, the May 2022 update (KB5103944) was primarily focused on additional updates for enforcement and error handling related to CBA, but this update may not have applied directly in your scenario (as the system message indicates it was not applicable).

    1. What Happens If You Don’t Use CBA?

    Since you mentioned that you don't use certificate-based authentication, this registry key might not be necessary for your environment. It’s specifically relevant to those environments that are enabling certificate-based authentication for Kerberos.

    For your setup, where you use password-based authentication only, this feature doesn’t apply unless you plan to enable strong certificate binding enforcement for certain services, such as RDS (Remote Desktop Services).

    1. What to Do Next

    If you want to proactively manage the strongcertificatebindingenforcement setting or ensure your system remains compatible with future updates, you have two options:

    A. Manually Create the Registry Key (if needed for enforcement)

    If you plan to enable certificate binding enforcement (even though you’re not using certificate-based authentication in most places), you can manually create the strongcertificatebindingenforcement key. Here’s how:

    Open the Registry Editor (regedit).

    Navigate to the path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

    Create a new DWORD value named strongcertificatebindingenforcement:

    0: Compatibility mode (no enforcement)

    1: Enforcement mode (strong certificate binding enforcement)

    Right-click and select New > DWORD (32-bit) Value, and name it strongcertificatebindingenforcement.

    Set the value to 0 for Compatibility Mode or 1 for Enforcement Mode.

    Restart the server for the changes to take effect.

    B. Monitor for Errors (Event Logs)

    Even if you don’t use certificate-based authentication right now, you should monitor the event logs for any errors related to certificate binding. Windows will log errors related to this feature if something goes wrong.

    Check Event Viewer for any Kerberos-related errors or authentication errors that may indicate that CBA is being improperly enforced.

    Path: Event Viewer > Applications and Services Logs > Microsoft > Windows > Kerberos

    Look for error codes related to certificates if any.

    1. Conclusion:

    If you do not plan to use certificate-based authentication (CBA) and are relying on passwords only, the registry key strongcertificatebindingenforcement may not be necessary for your environment, and you may not see the key unless you opt to enable stronger certificate binding enforcement.

    If you want to prepare for potential future use of certificate-based authentication or RDS, you can create the registry key manually to control enforcement.

    Ensure to monitor event logs for related errors in case of issues with CBA or Kerberos.

    I hope the above information is helpful to you.

    Best regards

    Runjie Zhai

    4 people found this answer helpful.
    0 comments
  2. Anonymous
    2025-01-29T16:29:33+00:00

    Hello Runjie, Thank you for the detailed response. It is very helpful. Much appreciated.

    Couple of questions

    1. My understanding is that KB5014754 is applicable to certificate-based authentication for ADDS on domain controllers only. It does not apply to any other server roles, unless they have ADDS. Please confirm.
    2. The RDS server was recently built using server 2019. Certificate was implemented as part of the RDS server build, I did not install a certificate on that server. Certificate is not configured correctly and not trusted. Users get a notification that they then bypass to complete authentication (password based). The RDS server is not internet facing and is behind a firewall. Users connect using a secure VPN tunnel (a) if I leave the certificate as-is, does KB5014754 changes have any impact? (b) Can I safely delete the invalid certificate to remove the warning message received by users during authentication?
    0 comments
  3. Anonymous
    2025-02-03T15:00:10+00:00

    Hello Runjie,

    Good day.

    [1] According to this link KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

    It describe the value as:-

    Data 1 – Checks if there is a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is allowed if the user account predates the certificate.<br><br>2 – Checks if there’s a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is denied.<br><br>0 – Disables strong certificate mapping check. Not recommended because this will disable all security enhancements.<br><br>If you set this to 0, you must also set CertificateMappingMethods to 0x1F as described in the Schannel registry key section below for computer certificate-based authentication to succeed..

    My understanding is

    Value 0 = Disable Mode

    Value 1 = Compatibility Mode

    Value 2 = Full Enforment

    Please correct me if I am wrong.

    [2] If set Enforcement mode (strong certificate binding enforcement). Does it take effect immediately? Regardless of Feb 2025 Windows Update installed or not. - Correct?

    [3] After Feb 2025 windows update, if there is no key in the StrongCertificateBindingEnforment, it will default to Full Enforcement mode - correct? 

     After Feb 2055 windows update, if there is Compatiblitiy key in StrongCertificateBindingEnforment, it will set as Compatiblitiy mode - correct? 

 If I set to Full Enforment Mode now, I will can change the option to Compatiblity mode until Sep 2025.  - correct?

    Image

    Thanks.

    Kitoro

    1 person found this answer helpful.
    0 comments
  4. Anonymous
    2025-02-14T04:45:10+00:00

    Any update?

    0 comments