22.214.171.124.1.4 Key Trust
The KDC SHOULD<21> look the account up using the public key. If an account is found with the public key that is trusted for the account, then the KDC SHOULD:
If the account was also found using the cname but the accounts do not match, return KDC_ERR_CLIENT_NAME_MISMATCH.
Ignore any certificate chain validation errors.
Implementations of PKCA KDCs that use Active Directory for the account database MUST confirm that the msDS-KeyMaterial attribute ([MS-ADA2] section 2.350) contains the same public key.