The Kerberos client SHOULD<15><16> send only a PA-PK-AS-REQ pre-authentication data identifier.

Kerberos clients can process either the PA-PK-AS-REP_OLD or the PA-PK-AS-REP pre-authentication data identifier in the reply, but not both.<17>

For computer AS-REQ, PKCA clients SHOULD<18> fail unless all of the following conditions are met.

  • The computer certificate contains:

    • subjectAltName (SAN) DNSName field: <computer name>.<DNS domain name> where <computer name> matches the computer name and <DNS domain name> matches the computer's DNS domain name.

    • Enhance Key Usage (EKU): id-pkinit-KPClientAuth ( or TLS/SSL Client Authentication (

  • The KDC certificate contains:

    • SAN DNSName field: the DNS name of the domain

    • EKU: id-pkinit-KPkdc (