3.1.5.1 Client
The Kerberos client SHOULD<15><16> send only a PA-PK-AS-REQ pre-authentication data identifier.
Kerberos clients can process either the PA-PK-AS-REP_OLD or the PA-PK-AS-REP pre-authentication data identifier in the reply, but not both.<17>
For computer AS-REQ, PKCA clients SHOULD<18> fail unless all of the following conditions are met.
The computer certificate contains:
subjectAltName (SAN) DNSName field: <computer name>.<DNS domain name> where <computer name> matches the computer name and <DNS domain name> matches the computer's DNS domain name.
Enhance Key Usage (EKU): id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) or TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2).
The KDC certificate contains:
SAN DNSName field: the DNS name of the domain
EKU: id-pkinit-KPkdc (1.3.6.1.5.2.3.5)