AD CS is AD’s PKI, and is used on the back end for everything from provisioning disk encryption keys to user authentication. Certificate templates are a way to automate the certificate request process: Rather than an admin approving all CSRs manually, AD CS checks to see if a relevant “template” (which is really a template + associated settings + an access policy) exists that matches the supplied CSR and is configured to allow the requesting user to generate a certificate.
Enumerate all certificate templates from a domain-joined computer and domain-authenticated user:
certutil -v -template
We need to be able to actually request a certificate. This is indicated by an Allow Enroll or Allow Full Control permission that has been assigned to a group or user you have access to.
The certificate needs to be usable for Kerberos authentication. This is true when the “Enhanced Key Usage” extension allows for “Client Authentication”.
We need to be able to set the certificate’s “Subject Alternative Name”. This is indicated by TemplatePropSubjectNameFlags (a.k.a. CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) being set to 1.
(There are actually some other requirements — like fully automated certificate provisioning — but by default these are all satisfied.)