3.1.5.1 Client

The Kerberos client SHOULD <15><16> send only a PA-PK-AS-REQ pre-authentication data identifier.

Kerberos clients can process either the PA-PK-AS-REP_OLD or the PA-PK-AS-REP pre-authentication data identifier in the reply, but not both.<17>

For computer AS-REQ, PKCA clients SHOULD <18> fail unless all of the following conditions are met.

The computer certificate contains:
- subjectAltName (SAN) DNSName field: <computer name>.<DNS domain name> where <computer name> matches the computer name and <DNS domain name> matches the computer's DNS domain name.
- Enhance Key Usage (EKU): id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) or TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2).
The KDC certificate contains:
- SAN DNSName field: the DNS name of the domain
- EKU: id-pkinit-KPkdc (1.3.6.1.5.2.3.5)

Additional resources