3.1.5.2.1.3 Explicit Mapping
The KDC MUST confirm the explicit mapping of the account to a certificate. Implementations of PKCA KDCs which use Active Directory for the account database MUST confirm that the altSecurityIdentities attribute ([MS-ADA1] section 2.61) contains the string created by concatenating the following information from the certificate in the order shown:
Subject and Issuer Name fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<S>" + Subject field with "\r" and "\n" replaced with ",".
Subject field: "X509:<S>" + Subject field with "\r" and "\n" replaced with ",".
Issuer and Serial Number fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SR>" + Serial Number field.
Subject Key Identifier field: "X509:<SKI>" + Subject Key Identifier field.
SHA1 hash of public key: "X509:<SHA1-PUKEY>" + SHA1 hash of public key.
822 field: "X509: <RFC822>" + 822 Name field.
If they do not match, the KDC SHOULD return KDC_ERR_CLIENT_NAME_MISMATCH.