Language:
Microsoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios.
However, having a certificate set on a privileged account can be dangerous in case the associated certificate is not protected as well as this sensitive account. It can also indicate a persistence mechanism that an attacker may have previously set.
Whenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it.
Note: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.
Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication