Forum Discussion
Certificate authentication with SID not working
When trying to login to Windows (against AD) using a certificate with the SID extension present in the certificate, it will not work if the SAN UPN is missing in the certificate. The error message "Your credentials could not be verified" will be displayed. Changing the certificate template to include SAN UPN will make the login work as expected. Is it by design?
Yes, this behavior is by design. Windows certificate-based logon requires the Subject Alternative Name (SAN) extension with a valid User Principal Name (UPN) for proper mapping to the AD user account even if the SID extension is present.
2 Replies
Yes, this behavior is by design. Windows certificate-based logon requires the Subject Alternative Name (SAN) extension with a valid User Principal Name (UPN) for proper mapping to the AD user account even if the SID extension is present.
Thanks for the clarification! It would be great if Microsoft could update the "Certificate processing logic" flowchart on https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration
