3.1.5.2.1.4 Key Trust

  • Article

The KDC SHOULD<22> look the account up using the public key. If an account is found with the public key that is trusted for the account, then the KDC SHOULD:

  • If the account was also found using the cname but the accounts do not match, return KDC_ERR_CLIENT_NAME_MISMATCH.

  • Ignore any certificate chain validation errors.

Implementations of PKCA KDCs that use Active Directory for the account database MUST confirm that the msDS-KeyMaterial attribute ([MS-ADA2] section 2.361) contains the same public key.