In most enterprises, certificates and hardware tokens are used instead of passwords to achieve authentication with higher assurance and thankfully, Kerberos supports certificates trough PKINIT (RFC 4556). Because of this, a Certificate Authority is required to issue the certificates.
In 2022 however, Microsoft introduced changes trough KB5014754 following CVEs where UPN as SAN is no longer considered a mapping of sufficient strength. Instead, the mapping must be made based on a value which is not reusable and binds the mapping to a specific certificate. This can be achieved by using the certificate SKI (which is derived from the public key).