AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

UseSubjectAltName and smartcard logon

UseSubjectAltName and smartcard logon

  • Comments 2
  • Likes

On Windows 7 clients, if a smartcard certificate contains a Subject Alternate Name (SAN) it will by default be used for implicit mapping against a user in AD and whatever has been imported to the AltSecurityIdentities attribute in X509 format (the UPN SAN is special as that looks directly at the UserPrincipalname attribute).

If you want to override the contents of the SAN and use explicit mapping based on things outside of the SAN (like Subject Name and Issuer), you need to disable it on both client and KDC using the UseSubjectAltName registry value.

This also requires Windows 7 on the client side and Windows Server 2008 R2 on the server side (domain controller side).

See http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx for details.

(see also Spat's entry on http://blogs.msdn.com/b/spatdsg/archive/2010/06/14/howto_3a00_-disable-upn-mapping-for-smartcard-logon.aspx which covers this in more details.)

 

Comments
  • This mechanism is only on R2 ???

  • Haven't tested on W2k8 or Vista but it should work there as well as per the Technet article: How to disable the Subject Alternative Name for UPN mapping

    Published: March 16, 2010

    Updated: May 5, 2010

    --> Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment