Using the User's Certificate to Identify the User

If Service 1 has the user certificate, it SHOULD<11> present the certificate to the domain controller (DC) to identify the user. To locate the user account object if the user's name is not available, Service 1 MUST send a KRB_AS_REQ message to its KDC with a PA_S4U_X509_USER (ID 130) padata type that contains the client's X509 certificate encoded in ASN.1, as specified in [RFC3280].