Hem Teknik Log on to AD without UPN/EKU in certificate

Log on to AD without UPN/EKU in certificate


Log on to AD without UPN and EKU in the certificate

Log in and on to Windows and AD with smart card is normally no big deal, however, if you have enrolled certificates that do not contain EKU and UPN, it requires some changes.

EKU = Extended/Enhanced Key Usage

The O.I.D Microsoft has specified to exist when log on to Windows and AD.


UPN = Unique Principal Name

RFC822 Name is the email address

Do you have to enroll new certificates if I forgot EKU/UPN?

a) If you issued fewer numbers of smart card. Redo the right way.
b) If you issued many smart cards. Do the change so new issued cards get the right certificate structure.

For those who need to logon to the domain, use upcoming example until the certificates are replaced.

Windows Server and client configuration

Start find the account you want to enable logon without EKU/UPN.
Right click and choose Name Mappings…

Click "Add..." under "X.509 Certificates" tab

Now you have to add a certificate file. It will read information from the file. It is not a one to one certificate binding. If you have the same information on temporary cards, there will not be a problem to use them.

Check the two Identity mapping boxes.

The values ends up in ” altSecurityIdentities” under attribute editor.
Should be able to script if all the in data exists.

If running Windows 7 or Windows 10 with Net iD pass through Credential Provider. We need to prepare the client with a GPO that will show certificates without EKU.

Recommended for Windows 10 is to use Net iD Full credential provider.
In this case, Mode 0x1131 is needed to be configured.

Har du fler funderingar? 

Tveka inte på att kontakta oss för att få svar på dina frågor.