Forum Discussion

Jan Liikamaa's avatar
Jan Liikamaa
Copper Contributor
Oct 28, 2025
Solved

Certificate authentication with SID not working

When trying to login to Windows (against AD) using a certificate with the SID extension present in the certificate, it will not work if the SAN UPN is missing in the certificate. The error message "Y...
Active Directory
security
  • hasanemresatilmis's avatar
    hasanemresatilmis
    Oct 30, 2025

    Yes, this behavior is by design. Windows certificate-based logon requires the Subject Alternative Name (SAN) extension with a valid User Principal Name (UPN) for proper mapping to the AD user account even if the SID extension is present.

hasanemresatilmis's avatar
hasanemresatilmis
MCT
Oct 30, 2025

Yes, this behavior is by design. Windows certificate-based logon requires the Subject Alternative Name (SAN) extension with a valid User Principal Name (UPN) for proper mapping to the AD user account even if the SID extension is present.

  • Jan Liikamaa's avatar
    Jan Liikamaa
    Copper Contributor
    Oct 30, 2025

    Thanks for the clarification! It would be great if Microsoft could update the "Certificate processing logic" flowchart on https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration

Resources