MicrosoftI'm curious to Microsoft's decision to not honor the new SID extension when Certificate Mapping is used over UPN mapping where the UseSubjectAltName registry value is 0. We have our internal Microsoft CA integrated with the Citrix Federated Authentication service. With the way FAS works, it would be difficult to establish a strong (using SKI or Serial Number) mapping in the AltSecurityIdentities user attribute for these certificates as they are issued on demand to FAS by the CA and have a short (7-day default) validity period. We were operating under the now incorrect assumption that since the certificates are issued from the internal CA, the new SID extension present in the certificate would now qualify the existing IssuerSubject mapping in AltSecurityIdentities as being strong. Are you working with Citrix to address this issue? If not, would using the policy 1 example tuple above allow our FAS service to continue working until there is a long term solution? There is another post on the Citrix support forums from a user facing a similar scenario which will be common in government environments utilizing Citrix FAS: https://community.citrix.com/forums/topic/253495-virtualsmartcard-authentication-using-the-certificate-san/#_=_
