Bonjour All, First i explain the scenarion. My domain name is lets say idtech.com. Under it i have created an ou=certificate users. Users are created under this OU. So my FQDN of a user is CN=scott,OU=Certificate Users,DC=idtech,DC=com. Same FQDN is in the subject of the user certificate & SC logon is working fine. My question is that if manage to add some custom attributes in the certificate subject, lets say age=32 & branch=Sales Department, so my certificate subject will become CN=scott,AGE=32,BRANCH=Sales Department,OU=Certificate Users,DC=idtech,DC=com Would it effect the Smart card logon functionality? Can it create other problems in future ? Regards Scott Thomas

yes, you can, but you can use only valid X500 suffixes and it seems like AGE is not valid.http://en-us.sysadmins.lv

yes, you can, but you can use only valid X500 suffixes and it seems like AGE is not valid. http://en-us.sysadmins.lv Bonjour Vadims, Thanks for the reply, if i use some existing attribute that is valid X500 suffix in subject certificate but this attribute value differs in AD. Such as if i use Title and store the Branch(Sales Department) in it, but in the AD employee Rank is being stored in that attribute. Means that values in Title attribute in certificate subject & Title attribute of AD have different values. Certificate Subject : CN=scott,Title=Sales Department,OU=Certificate Users,DC=idtech,DC=com But in AD Title has different value e.g 'Manager'. I have deeply studied PKI RFC & Smart card logon requirements and have a strong assumption that Smart Card Logon just requires UPN and it will definitely login. Kindly comfirm me in this scenario Best Regards Scott

yes, of course you can add custom attributes. However you should consider the following: you will have to manually construct subject for certificates (including UPN); you will have enable SubjectAlternateName attribute on CA server; you will have to assign highly trusted independant employee who will issue certificates for smart cards. It is not recommended to allow users to manually request such certificates due of security violations (impersonation of legitimate user). http://en-us.sysadmins.lv

yes, of course you can add custom attributes. However you should consider the following: you will have to manually construct subject for certificates (including UPN); you will have enable SubjectAlternateName attribute on CA server; you will have to assign highly trusted independant employee who will issue certificates for smart cards. It is not recommended to allow users to manually request such certificates due of security violations (impersonation of legitimate user). http://en-us.sysadmins.lv I have tested the above scenario & added some valid x500 attributes in the certificate subject . SC logon was successful. I had not included UPN in the certificate subject and i do not think that presence of UPN in certificate subject is a requirement of SC logon. UPN is already present in the SubjectAltName and Microsoft also requires its presence in SubjectAltName. Regards Scott Thomas

SAN extension is not required in Windows Vista and higher systems. In that case explicit certificate mapping is used.http://en-us.sysadmins.lv