Key Trust

The KDC SHOULD<21>  look the account up using the public key. If an account is found with the public key that is trusted for the account, then the KDC SHOULD:

  • If the account was also found using the cname but the accounts do not match, return KDC_ERR_CLIENT_NAME_MISMATCH.

  • Ignore any certificate chain validation errors.

Implementations of PKCA KDCs that use Active Directory for the account database MUST confirm that the msDS-KeyMaterial attribute ([MS-ADA2] section 2.350) contains the same public key.