This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 86%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hello,
I'm requesting some guidance / clarification on documents that initiated back in Nov 2021 & May 2022 regarding the Kerberos Distribution Center (KDC) and how it will be servicing a certificate-based authentication request with strong bindings only. After may 2023, clients will no longer be able to authenticate with a "weak" certificate mapping. I'm late to the game on this one and most of the patches mentioned will not install on my Server 2019 Test DC's or the CA. I get a dialog that this patch is not applicable to my computer. I believe I understand now using the catalog that only the latest update will install. The problem is when I install the latest relevant patch, I don't get the behavior described in the docs(such as the registry keys for StrongCertificateBindingEnforcement on domain controllers ).
Here are the articles I'm attempting to follow:
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey
The final article seems to suggest that patch KB5021655 should resolve all of the issues that were laid out in the previous year (for Server 2019). It also seems when Using the Microsoft Update Catalog that this patch supersedes most of the earlier patches.
My concerns are that I never did see the Registry Key on the domain controllers for StrongCertificateBindingEnforcement so I can't verify if I'm progressing correctly. I saw some of the event activity very briefly (maybe because I installed the latest patch too soon) I would also like to know if this applies to Device Certificates since we don't use User Certs.
Any guidance here is appreciated.
Something here could help.
https://www.cisa.gov/guidance-applying-june-microsoft-patch
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Well,
The bottom line appears to be that you can not install previous patches if you already have a superseding patch installed, so It seems to do no good to back trace steps. According to this unofficial post:
kb5021655 is supposed to fix everything, and the advise is to undue any workaround previously implemented. I think for the time being, I'm going to assume that installing this patch on Server2019 DC's takes care of all issues.
Thanks for your responses.