3.1.5.2.1.5 Mapping Strength
The KDC SHOULD<23> map a certificate to a user using one of the following mappings. These methods of mapping a certificate to a user are classified as strong or weak based on whether they depend on a name as a secure identifier. The following mappings are considered weak:
SAN UPNName
SAN DNSName
altSecurityIdentities Issuer Name and Subject Name
altSecurityIdentities Subject Name
altSecurityIdentities 822 field
If a KDC maps a certificate to a user using one of the above weak mappings, it SHOULD<24> continue to search for more mappings until it encounters a strong mapping. If it does not find such a mapping, it MAY fail the authentication request with KDC_ERR_CERTIFICATE_MISMATCH.
The following mappings are considered strong:
SID (section 3.1.5.2.1.6)
Key Trust (section 3.1.5.2.1.4)
altSecurityIdentities Issuer and Serial Number
altSecurityIdentities Subject Key Identifier
altSecurityIdentities SHA1 Hash of Public Key
If an Issuer-OID-MappingType triplet has been configured, the KDC SHOULD<25> consider certificates from the specified Issuer with any of the specified policy OIDs to have strong mappings if mapped via one of the specified mapping types. Supported MappingTypes are IssuerSubject (referring to the altSecurityIdentities Issuer Name and Subject Name above) and UPNSuffix=<domainname> (referring to the SAN UPNName above, scoped to UPNs ending in "@<domainname>").