MicrosoftAs always... Great write-up Ryan!
This does simplify the KDC side of issue for strong mapping.
Wondering if this certificate request option works only with the "Supply in the request" option in the certificate template or can be set to be auto-populated with the option "Build from Active Directory".
I understand that the former would be ideal for the devices requesting certificates via SCEP/MDM, however, for users and machines leveraging auto-enrollment, the latter would be a suitable option.
This issuance of certificates with the SID still remains a big task for the PKI admins.
Is there something also in pipeline to introduce new certificate template options to cater this requirement?
Somewhat like adding an additional item in the SAN list as in below screenshot, may be an item called SID that auto-populates from objectsid attribute of the requesting user?
