3.1.5.2.1.3 Explicit Mapping

The KDC MUST confirm the explicit mapping of the account to a certificate. Implementations of PKCA KDCs which use Active Directory for the account database MUST confirm that the altSecurityIdentities attribute ([MS-ADA1] section 2.61) contains the string created by concatenating the following information from the certificate in the order shown:

1. Subject and Issuer Name fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<S>" + Subject field with "\r" and "\n" replaced with ",".

2. Subject field: "X509:<S>" + Subject field with "\r" and "\n" replaced with ",".

3. Issuer and Serial Number fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SR>" + Serial Number field.

4. Subject Key Identifier field: "X509:<SKI>" + Subject Key Identifier field.

5. SHA1 hash of public key: "X509:<SHA1-PUKEY>" + SHA1 hash of public key.

6. 822 field: "X509: <RFC822>" + 822 Name field.

If they do not match, the KDC SHOULD return KDC_ERR_CLIENT_NAME_MISMATCH.