Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The KDC MUST confirm the explicit mapping of the account to a certificate. Implementations of PKCA KDCs which use Active Directory for the account database MUST confirm that the altSecurityIdentities attribute ([MS-ADA1] section 2.61) contains the string created by concatenating the following information from the certificate in the order shown:
Subject and Issuer Name fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<S>" + Subject field with "\r" and "\n" replaced with ",".
Subject field: "X509:<S>" + Subject field with "\r" and "\n" replaced with ",".
Issuer and Serial Number fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SR>" + Serial Number field.
Subject Key Identifier field: "X509:<SKI>" + Subject Key Identifier field.
SHA1 hash of public key: "X509:<SHA1-PUKEY>" + SHA1 hash of public key.
822 field: "X509: <RFC822>" + 822 Name field.
Issuer and SID fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SID>" + SID field.<22> More information about the SID field can be found in section 3.1.5.2.1.6.
If they do not match, the KDC SHOULD return KDC_ERR_CLIENT_NAME_MISMATCH.