As UPN is the only unique attribute for the user in the forest , then when playing with more than one to one mapping between accounts and certificates , don’t include the UPN in the certificate.
Smart Card logon for multiple certificates into a single account :
A group of users might log on to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for logon.
Several distinct certificates can also be mapped to a single account (for this to work properly, the certificate cannot have UPNs).
This is done by Active Directory User and Computer Name Mapping . Right click the single account , choose Name Mappings and import the certificates.
Smart Card logon for a single certificate into multiple accounts :
A single user certificate can be mapped to multiple accounts. For example, a user might be able to log on to his user account and also to log on as a domain administrator. The mapping happens according to the criteria mentioned in my previous blog about smart card certificate mapping.
– You should enable the GPO x509 Hints to provide the user information for whom you will want to logon as
-There should no UPN present in the certificate.