Microsoft Base CSP compliant card used for 2FA to Windows 7. When you insert the card into the reader, the logon UI displays your UPN - where does it get this from, before entering the PIN? Thanks very much for your assistance.Identity & Metadirectory, Hewlett-Packard UK

For smart card logon to work, the user's UPN is stored in the Subject Alternate Name extension of the smart card logon certificate You are simply seeing the UPN from the certificate Brian

Yes Brian, that was my understanding. But I thought you couldn't access the certificate until you had entered the PIN, or have I misunderstood this and the PIN is protecting the private key material rather than the logon cert? Many thanks for your help.Identity & Metadirectory, Hewlett-Packard UK

Smart cards have both a public and a private component. The certificate is public information and is not protected by the PIN Only secure material, such as private key material, is protected by the PIN I recommend you do some reading on smart card basics. Brian

Cheers Brian. Thanks very much for your assistance.Identity & Metadirectory, Hewlett-Packard UK

We don't want to expose our customers OU structure or DNS domain in the smart card logon cert. I have tested smart card logon using just the login ID in the certificate subject, cn=sAMAccountName. Are there any known issues with this configuration? CheersTom Houston, HP Enterprise Services - UK Identity Management Practice