What is a one sentence summary of your feature request?
The reuse of cryptographic material may allow an attacker to correlate otherwise separate accounts, effectively identifying linked identities and elevating them to higher‑value targets.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
The reuse of a private key across separated user and administrative identities increases the blast radius of MITRE T1552.004 (Private Key Compromise) and enables T1649-based impersonation of privileged valid accounts. This undermines identity separation and privilege tiering controls.
An attacker could detect accounts belonging together and therfore detect them as more valuable targets.
Attributes that might need to be compared against other users: userCertificate / altSecurityIdentities / msDS-KeyCredentialLink
┌────────────────┐
│ User Endpoint │
│ (Private Key) │
└───────┬────────┘
│
Compromise / Key Theft
│
▼
┌────────────────┐
│ Identical Key │
│ Fingerprint │
└───────┬────────┘
│
┌──────────────┴──────────────┐
▼ ▼
┌──────────────┐ ┌──────────────┐
│ User Account │ │ Admin Account│
│ userCert │ │ userCert │
└──────────────┘ └──────────────┘
│ │
└───────────► AD / KDC ◄──────┘
(PKINIT)
How do you currently solve the challenges you have by not having this feature?
I encountered this once with one of the attributes. In retrospect, similar cases may have occurred more often, but they were not explicitly examined or correlated at the time.