In a big network with multiple domains and a complex forest topology , the most unique identifier for a user is the UPN . So , Microsoft requires smart card logon certificates to include the UPN in the SAN extension of the certificate .
Starting from windows Vista , smart card logon certificates does not need to include the UPN on its extension and this make it more challenging to map a certificate to a user account .
Well , SSL/TLS services like a portal , can map certificates that do not have SAN , and the mapping is done by using (Issuer Name) and ( Subject Name) .This type of mapping is supported by KDC among other methods .
So how KDC maps certificates to accounts ? (the first method that locates an account successfully wins, and the search stops)
- If UPN is specified in the SAN extension > then the account is located since UPN is unique per forest.
- If the username is provided along with the certificate , the username is used for lockup and this is the fastest way as it is string search. Username can be provided by enabling a GPO settings that allows Hints to be displayed in the logon screen that allows the user to enter his username and or his domain .
- When no domain information is available via the Hints , then the current domain is search by default .If any other domains is to be used for lookup , then a domain hint should be provided .
- Then tests are performed by (Subject and Issuer Field in the certificate)
- Then subjectDN ,Serial Number, Subject Key Identifier and Certificate Hash are used in order .Then the SAN attribute is used as last method .
It is important to note that after a mapping is performed between a certificate and a user name in most mapping methods, the NT_AUTH policy tests should be completed before Kerberos logon is allowed ( The test criteria is found here http://msdn.microsoft.com/en-us/library/aa377163.aspx ).One of the important checks is that the issuer of the user certificate should be a CA registered in the NTAuth Store in the AD configuration Partition under services , public key services.
Note : PKINIT : stands for Public Key Cryptography for Initial Authentication in Kerberos , and it means using smart cards for logon.