More about Smart Card logon and Certificates Mapping


As UPN is the only unique attribute for the user in the forest , then when playing with more than one to one mapping between accounts and certificates , don’t include the UPN in the certificate.

Smart Card logon for multiple certificates into a single account :

A group of users might log on to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for logon.

Several distinct certificates can also be mapped to a single account (for this to work properly, the certificate cannot have UPNs). 

This is done by Active Directory User and Computer Name Mapping . Right click the single account , choose Name Mappings and import the certificates.

Smart Card logon for a single certificate into multiple accounts :

A single user certificate can be mapped to multiple accounts. For example, a user might be able to log on to his user account and also to log on as a domain administrator. The mapping happens according to the criteria mentioned in my previous blog about smart card certificate mapping.

– You should enable the GPO x509 Hints  to provide the user information for whom you will want to logon as

-There should no UPN present in the certificate.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s