Search results
Dec 31, 2019 · The certificates in this document with UPN in and SAN field were generated using Ubuntu 16.x with Openssl installed. The following shows the certificate with UPN in SAN field that will be used as User-id name. This certificate would be installed on the client computer where the GP agent is installed:
- Overview
- Smart card sign-in flow in Windows
- KDC certificate
- Client certificate requirements and mappings
- Smart card sign-in for a single user with one certificate into multiple accounts
- Smart card sign-in for multiple users into a single account
- Smart card sign-in across forests
- OCSP support for PKINIT
- Smart card root certificate requirements for use with domain sign-in
This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
When a smart card is inserted, the following steps are performed.
1.The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
2.A qualified container name is constructed by using the smart card reader name, and it's passed to the CSP. The format is \\\\. \\
3.CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card is unusable for smart card sign-in.
4.The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
Client certificates that don't contain a UPN in the subjectAltName (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
If you enable the Allow signature keys valid for Logon credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates aren't listed on the sign-in screen.
Active Directory Certificate Services provides three kinds of certificate templates:
•Domain controller
•Domain controller authentication
•Kerberos authentication
Certificate requirements Client certificate mappings
Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that don't contain information in the SAN field are also supported. SSL/TLS can map certificates that don't have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: and are taken from the client certificate, with '\\r' and '\ ' replaced with ','. Certificate revocation list distribution points UPN in Subject Alternative Name field Subject and Issuer fields This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC. High-level flow of certificate processing for sign-in The certificate object is parsed to look for content to perform user account mapping. •When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs •When only the certificate object is provided, multiple operations are performed to locate the user name to map the user name to an account object •When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding Certificate revocation list distribution points
A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see Client certificate requirements and mappings.
Based on the information that is available in the certificate, the sign-in conditions are:
1.If no UPN is present in the certificate:
2.Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
3.A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
1.If a UPN is present in the certificate:
A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they're enabled for sign-in.
Several distinct certificates can be mapped to a single account. For this to work properly, the certificate can't have UPNs.
For account mapping to work across forests, particularly in cases where there isn't enough information available on the certificate, the user might enter a hint in the form of a user name, such as domain\\user, or a fully qualified UPN such as user@contoso.com.
Online Certificate Status Protocol (OCSP), which is defined in RFC 2560, enables applications to obtain timely information about the revocation status of a certificate. Because OCSP responses are small and well bound, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos on the KDC, to avoid transmission of large CRLs, and to save bandwidth on constrained networks. For information about CRL registry keys, see Smart Card Group Policy and Registry Settings.
The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior can't be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
•The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate
•The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate
•The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty
•The smart card certificate must contain one of the following:
•A subject field that contains the DNS domain name in the distinguished name. If it doesn't, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
People also ask
What if a client certificate doesn't contain a UPN?
How do I map a certificate based on a UPN?
What is a UPN username?
Is a UPN the same as a user's email address?
Sep 29, 2020 · In the variable assign give the access policy item a name for instance “upn_extract” and then click the “Add New Entry” button. Then ensure that Custom Variable is selected. Create a variable name – for instance session.custom.upn. On the right side select “Custom Expression”.
Apr 29, 2024 · In Active Directory, the default UPN suffix is the DNS where you created the user account. In most cases, register this domain name as the enterprise domain. If you create the user account in the contoso.com domain, the default UPN is: username@contoso.com. Add more UPN suffixes with Active Directory domains and trusts.
(foo.pem will contain both the certificate and the private key.) The UPN is stored as a special type of "subjectAltName" in the certificate. Unfortunately, OpenSSL does not yet know how to display UPNs (as well as some other types of names), so the usual command for examining certificates (openssl x509 -noout -text < foo.pem) will not work ...
Code sample
Subject Alternative Name (not critical):otherName OID: 1.3.6.1.4.1.311.20.2.3otherName DER: 0c1867726177697479404e554c4c524f5554452e45552e4f5247otherName ASCII: ..grawity@NULLROUTE.EU.ORGThe UPN can be used for federated, SAML and OAuth scenarios. Is a UPN the same as an email address? A UPN is not the same as the user's email address. In many cases they are the same value for ease of use, but UPN and email have different internal uses and are defined in different active directory attributes.
Mar 11, 2024 · The easiest way to do it is to change UserPrincipalName in user properties in the ADUC console ( dsa.msc ). As you can see, all UPN suffixes of the domain are available in the list. Select the one you want and click OK. Note that UserPrincipalName in this form consists of two parts: a user name and a UPN suffix.
