Can we use smart cards issued from 3 different PKIs for authentication (one internal, 2 external)? I've only read info regarding internal issued cards only from an internal CA or third party issued cards from an external PKI. Do the smart cards need to be issued from the same PKI as the DC certificates? Internally issued smart cards will probably use the user's UPN where as the external cards will not have the correct UPN. I beleive the external cards would need the auth certificate to be mapped to the user's account in AD, is this correct? Information regarding the environment: Domain: 2003, soon to be upgraded to 2008 R2 Clients: XP and 7 Internal CA: 2008 Thanks much!

Yes, it is possible. There are some minimum requirements: 1) all PKIs must be trusted by your clients and servers (including domain controllers). This can be accomplished by publishing PKI's root certificates to AD RootCA container. 2) issuing CAs certificates must be published to AD NTAuthCA container (actually this is a record in AD). Regarding UPN's. all smart card logon certificates should contain correct UPN. This is because smart card logon don't support explicit certificate mapping (when a certificate is compared with a certificates published under user account object in AD) and these certificates are mapped implicitly (by comparing certificate contained UPN).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks much for the info Vadims! It sounds like users who had been issued Smart Cards for a seperate environment which contain a different UPN won't be able to use them for internal authentication due to the differing UPNs. That isn't a big deal and will actually simply some stuff for us. I am still a little confused regarding certificate mappings. The requirements for Vista/2008 clients and later state that you can omit the UPN and use a manual mapping of a certificate in ADDS. I'll try to dig up some more info on certificate mappings myself. Perhaps it's the case that mappings can only be used of if there is no UPN on the certificate. Thanks again Vadims!

yes, this is possible for Vista an newer systems. This behavior must be enforced through group policies (not enabled by default). But your environment contains XP machines, thus you should deploy the most compatible solution.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com