General discussion


Matching Smart Card To Active Directory Account

By Greg Price ·
Had an interesting problem come up today and I am looking for some help with resolving it.

We have two separate Active Directory Domains in a common forest, using smart cards for authentication based on matching the Subject Alternative Name (Principal Name) on the cert to the usePrincipalName in AD. Smart Cards are enabled, but not required, so it is possible to still use UserID/Pw to log in. This has worked well for the better part of a year.

Recently an employee switched employment from Domain1 to Domain2. Because of a lack of communication between the DAs, a new account was set up in Domain2 with an identical UPN (and Pre-Windows 2000 login name) as existed in Domain1. The original account was never disabled or deleted.

Now, with the user sitting at a workstation that is a member of Domain2, he logs in using UserID/Pw and authenticates into Domain2, as expected. However, when he uses his Smart Card he ends up logging into his original account (Domain1) instead. If the problem were with the UserID/Pw login, I would just have the user make sure the proper Domain was selected. But I can't find a way to do so with the Smart Card, since it only asks for a PIN. (I think enabling User Name Hints might work, but we are trying to avoid that if possible.)

Can anyone help enlighten me on how the Smart Card login process determines which AD account be used if there are two, in different domains in the forest, that match the Principal Name on the certificate, and if there is a way to specify the domain to use?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums