Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

3.1.5.2.1.3 Explicit Mapping

The KDC MUST confirm the explicit mapping of the account to a certificate. Implementations of PKCA KDCs which use Active Directory for the account database MUST confirm that the altSecurityIdentities attribute ([MS-ADA1] section 2.61) contains the string created by concatenating the following information from the certificate in the order shown:

  1. Subject and Issuer Name fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<S>" + Subject field with "\r" and "\n" replaced with ",".

  2. Subject field: "X509:<S>" + Subject field with "\r" and "\n" replaced with ",".

  3. Issuer and Serial Number fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SR>" + Serial Number field.

  4. Subject Key Identifier field: "X509:<SKI>" + Subject Key Identifier field.

  5. SHA1 hash of public key: "X509:<SHA1-PUKEY>" + SHA1 hash of public key.

  6. 822 field: "X509: <RFC822>" + 822 Name field.

If they do not match, the KDC SHOULD return KDC_ERR_CLIENT_NAME_MISMATCH.

Show:
© 2015 Microsoft