Update the documentation regarding SID usage for PKINIT

docs/pages/enroll-resources/database-access/enroll-self-hosted-databases/sql-server-ad-pkinit.mdx

@@ -189,7 +189,7 @@ following PowerShell script on your Windows instance:
 ```powershell
 $WindowsDERFile = $env:TEMP + "\windows.der"
 $WindowsPEMFile = $env:TEMP + "\windows.pem"
-certutil "-ca.cert" $WindowsDERFile 
+certutil "-ca.cert" $WindowsDERFile
 certutil -encode $WindowsDERFile $WindowsPEMFile
 
 $CA_CERT_PEM = Get-Content -Path $WindowsPEMFile
@@ -219,6 +219,16 @@ database section below as appropriate:
 - `spn`: Service Principal Name (SPN) for SQL Server to fetch Kerberos tickets.
 - `kdc_host_name`: SPN of the domain controller responsible for providing the LDAP CA.
 - `ldap_cert`: The contents of the LDAP CA previously exported.
+- `ldap_service_account_name`: Name of the service account Teleport uses to query LDAP for user SIDs.
+- `ldap_service_account_sid`: SID corresponding to the specified `ldap_service_account_name`.
+
+<Admonition type="note" title="LDAP service account">
+  Teleport will attempt to authenticate to LDAP with `ldap_service_account_name` username using x509 certificate issued
+  with the Teleport CA. LDAP should trust this certificate thanks to the previous step ("Publish the Teleport CA").
+
+  We encourage the use of service account with minimal privileges. To perform the mapping,
+  Teleport needs access to `objectSid`, `sAMAccountName` and `sAMAccountType` attributes.
+</Admonition>
 
 ```yaml
 version: v3
@@ -247,6 +257,8 @@ db_service:
           -----BEGIN CERTIFICATE-----
           ...
           -----END CERTIFICATE-----
+        ldap_service_account_name: "DEV\svc-teleport"
+        ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444"
 ```
 
 <Admonition type="tip">
@@ -343,6 +355,15 @@ that the KDC hostname is wrong. You can verify your domain controller’s SPN to
 see if they’re set correctly and update the value on the field `kdc_hostname` on
 your database's configuration.
 
+### PKINIT authentication fails due to missing SID
+
+If PKINIT authentication fails and the Teleport Database Service logs show errors related to a missing user SID or failed LDAP queries,
+verify that the `ldap_service_account_name` and `ldap_service_account_sid` fields are correctly set in your database configuration.
+
+Verify that there are no errors due to invalid certificate in `ldap_cert` field.
+
+Ensure that the service account exists, has correct name and SID and has access to specified attributes.
+
 ### Teleport cannot verify database CA
 
 If your database has a CA that Teleport doesn’t know about, it will return the

docs/pages/includes/config-reference/database-config.yaml

@@ -191,6 +191,11 @@ db_service:
       spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
       # Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
       krb5_file: /etc/krb5.conf
+      # Name of the service account Teleport uses to perform LDAP queries for retrieving user SIDs.
+      ldap_service_account_name: "svc-teleport"
+      # SID of the above service account. Teleport uses this to authenticate LDAP queries.
+      # Also required for PKINIT if the user SID must be included in the certificate.
+      ldap_service_account_sid: "S-1-5-21-1111111111-2222222222-3333333333-4444"
 
     # Optional configuration for Azure hosted databases.
     azure: