The behavior of your Domain Controllers is governed by the value assigned to HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement :
This led to the infamous scenario, where an attacker could impersonate a privileged user simply by presenting a certificate with a spoofed SAN. strongcertificatebindingenforcement
REG_DWORD
If you are running a domain functional level of 2016 or higher, you should be targeting . The behavior of your Domain Controllers is governed