Hello,
I'm requesting some guidance / clarification on documents that initiated back in Nov 2021 & May 2022 regarding the Kerberos Distribution Center (KDC) and how it will be servicing a certificate-based authentication request with strong bindings only. After may 2023, clients will no longer be able to authenticate with a "weak" certificate mapping. I'm late to the game on this one and most of the patches mentioned will not install on my Server 2019 Test DC's or the CA. I get a dialog that this patch is not applicable to my computer. I believe I understand now using the catalog that only the latest update will install. The problem is when I install the latest relevant patch, I don't get the behavior described in the docs(such as the registry keys for StrongCertificateBindingEnforcement on domain controllers ).
Here are the articles I'm attempting to follow:
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-kerberos-auth-issues-in-emergency-updates/
The final article seems to suggest that patch KB5021655 should resolve all of the issues that were laid out in the previous year (for Server 2019). It also seems when Using the Microsoft Update Catalog that this patch supersedes most of the earlier patches.
My concerns are that I never did see the Registry Key on the domain controllers for StrongCertificateBindingEnforcement so I can't verify if I'm progressing correctly. I saw some of the event activity very briefly (maybe because I installed the latest patch too soon) I would also like to know if this applies to Device Certificates since we don't use User Certs.
Any guidance here is appreciated.