HKLM\SYSTEM\CurrentControlSet\Services\Kdc
The problem is the fallback . If the DC can't find the strong binding (perhaps due to an old certificate or a misconfigured attribute), it happily accepts the weak mapping. Attackers specifically craft their exploits to trigger that fallback path, bypassing strong binding entirely. strongcertificatebindingenforcement