In most enterprises, certificates and hardware tokens are used instead of passwords to achieve authentication with higher assurance and thankfully, Kerberos supports certificates trough PKINIT (RFC 4556). Because of this, a Certificate Authority is required to issue the certificates.

Mapping a certificate to an AD account

Before the authentication can be performed however, the certificate must be mapped to the AD account. This can be done trough several means, most commonly the User Principal Name (UPN) being set in the certificate Subject Alternative Name (SAN).

In 2022 however, Microsoft introduced changes trough KB5014754 following CVEs where UPN as SAN is no longer considered a mapping of sufficient strength. Instead, the mapping must be made based on a value which is not reusable and binds the mapping to a specific certificate. This can be achieved by using the certificate SKI (which is derived from the public key).