Smart Card Logon Question
Microsoft Base CSP compliant card used for 2FA to Windows 7.
When you insert the card into the reader, the logon UI displays your UPN - where does it get this from, before entering the PIN?
Thanks very much for your assistance.Identity & Metadirectory, Hewlett-Packard UK
February 10th, 2011 6:04pm
For smart card logon to work, the user's UPN is stored in the Subject Alternate Name extension of the smart card logon certificate
You are simply seeing the UPN from the certificate
Brian
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 6:06pm
Yes Brian, that was my understanding.
But I thought you couldn't access the certificate until you had entered the PIN, or have I misunderstood this and the PIN is protecting the private key material rather than the logon cert?
Many thanks for your help.Identity & Metadirectory, Hewlett-Packard UK
February 10th, 2011 6:25pm
Smart cards have both a public and a private component.
The certificate is public information and is not protected by the PIN
Only secure material, such as private key material, is protected by the PIN
I recommend you do some reading on smart card basics.
Brian
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 6:36pm
Cheers Brian. Thanks very much for your assistance.Identity & Metadirectory, Hewlett-Packard UK
February 10th, 2011 6:48pm
We don't want to expose our customers OU structure or DNS domain in the smart card logon cert.
I have tested smart card logon using just the login ID in the certificate subject, cn=sAMAccountName.
Are there any known issues with this configuration?
CheersTom Houston, HP Enterprise Services - UK Identity Management Practice
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2011 3:33pm