3.1.5.2.1.6 SID

If a Key Distribution Center (KDC) has exhausted all other mapping types for a certificate and found a weak mapping without finding a strong mapping, it SHOULD<25> check if the certificate contains a security identifier (SID). If the certificate does contain a SID and the SID matches the user to which the certificate is weakly mapped, the certificate is to be considered strongly mapped. If the SID does not match, the authentication MUST fail with KDC_ERR_CERTIFICATE_MISMATCH. If the certificate does not contain a SID, the KDC MAY fail the authentication request as no strong mapping is available. For more details on the objectSID in an issued certificate see [MS-WCCE] section 2.2.2.7.7.4.

If a KDC has further exhausted strong mapping per [MS-WCCE] section 2.2.2.7.7.4, it SHOULD<26> check if the certificate contains a SID using a Subject Alternate Name with type URL in the literal format of:

tag:microsoft.com,2022-09-14:sid:<string-sid>

If the certificate is weakly mapped to a user and the SID matches that user, the certificate is to be considered strongly mapped.