Hem Aktuellt Log on to AD without UPN/EKU in certificate

Log on to AD without UPN/EKU in certificate


Log on to AD without UPN and EKU in the certificate

Log in and on to Windows and AD with smart card is normally no big deal, however, if you have enrolled certificates that do not contain EKU and UPN, it requires some changes.

EKU = Extended/Enhanced Key Usage

The O.I.D Microsoft has specified to exist when log on to Windows and AD.


Lista med Certifikat

UPN = Unique Principal Name

RFC822 Name is the email address

Lista med Certifikat

Do you have to enroll new certificates if I forgot EKU/UPN?

a) If you issued fewer numbers of smart card. Redo the right way.
b) If you issued many smart cards. Do the change so new issued cards get the right certificate structure.

For those who need to logon to the domain, use upcoming example until the certificates are replaced.

Windows Server and client configuration

Start find the account you want to enable logon without EKU/UPN.
Right click and choose Name Mappings…

Lista med gulmarkerat val

Click "Add..." under "X.509 Certificates" tab

Ruta för Security Identity Mapping

Now you have to add a certificate file. It will read information from the file. It is not a one to one certificate binding. If you have the same information on temporary cards, there will not be a problem to use them.

Ruta för Certifikat

Check the two Identity mapping boxes.

Windowsruta med certifikatsinformation

The values ends up in ” altSecurityIdentities” under attribute editor.
Should be able to script if all the in data exists.

windowsruta med värmesträng

If running Windows 7 or Windows 10 with Net iD pass through Credential Provider. We need to prepare the client with a GPO that will show certificates without EKU.

skärmdump på certifikatsinformation

Recommended for Windows 10 is to use Net iD Full credential provider.
In this case, Mode 0x1131 is needed to be configured.

Har du fler funderingar? 

Tveka inte på att kontakta oss för att få svar på dina frågor.