Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The KDC SHOULD<23> look the account up using the public key. If an account is found with the public key that is trusted for the account, then the KDC SHOULD:
If the account was also found using the cname but the accounts do not match, return KDC_ERR_CLIENT_NAME_MISMATCH.
Ignore any certificate chain validation errors.
Implementations of PKCA KDCs that use Active Directory for the account database MUST confirm that the msDS-KeyCredentialLink attribute ([MS-ADA2] section 2.358) contains the same public key. See [MS-ADTS] section 2.2.20.5.1 for how the 2048-bit RSA [RFC8017] public key is stored.