3.1.5.2.1.5 Mapping Strength

The KDC SHOULD<23> map a certificate to a user using one of the following mappings. These methods of mapping a certificate to a user are classified as strong or weak based on whether they depend on a name as a secure identifier. The following mappings are considered weak:

  • SAN UPNName

  • SAN DNSName

  • altSecurityIdentities Issuer Name and Subject Name

  • altSecurityIdentities Subject Name

  • altSecurityIdentities 822 field

If a KDC maps a certificate to a user using one of the above weak mappings, it SHOULD<24> continue to search for more mappings until it encounters a strong mapping. If it does not find such a mapping, it MAY fail the authentication request with KDC_ERR_CERTIFICATE_MISMATCH.

The following mappings are considered strong:

  • SID (section 3.1.5.2.1.6)

  • Key Trust (section 3.1.5.2.1.4)

  • altSecurityIdentities Issuer and Serial Number

  • altSecurityIdentities Subject Key Identifier

  • altSecurityIdentities SHA1 Hash of Public Key

If an Issuer-OID-MappingType triplet has been configured, the KDC SHOULD<25> consider certificates from the specified Issuer with any of the specified policy OIDs to have strong mappings if mapped via one of the specified mapping types. Supported MappingTypes are IssuerSubject (referring to the altSecurityIdentities Issuer Name and Subject Name above) and UPNSuffix=<domainname> (referring to the SAN UPNName above, scoped to UPNs ending in "@<domainname>").