Log on to AD without UPN and EKU in the certificate
Log in and on to Windows and AD with smart card is normally no big deal, however, if you have enrolled certificates that do not contain EKU and UPN, it requires some changes.
EKU = Extended/Enhanced Key Usage
The O.I.D Microsoft has specified to exist when log on to Windows and AD.
UPN = Unique Principal Name
RFC822 Name is the email address
Do you have to enroll new certificates if I forgot EKU/UPN?
a) If you issued fewer numbers of smart card. Redo the right way.
b) If you issued many smart cards. Do the change so new issued cards get the right certificate structure.
For those who need to logon to the domain, use upcoming example until the certificates are replaced.
Windows Server and client configuration
Start find the account you want to enable logon without EKU/UPN.
Right click and choose Name Mappings…
Click "Add..." under "X.509 Certificates" tab
Now you have to add a certificate file. It will read information from the file. It is not a one to one certificate binding. If you have the same information on temporary cards, there will not be a problem to use them.
Check the two Identity mapping boxes.
The values ends up in ” altSecurityIdentities” under attribute editor.
Should be able to script if all the in data exists.
If running Windows 7 or Windows 10 with Net iD pass through Credential Provider. We need to prepare the client with a GPO that will show certificates without EKU.
Recommended for Windows 10 is to use Net iD Full credential provider.
In this case, Mode 0x1131 is needed to be configured.