RE: Certificate Services question
From: gordonah (gordonah_at_discussions.microsoft.com)
Date: Mon, 17 Jan 2005 08:29:06 -0800
I can't find anything to back up my theory, but as a GC is required for
enterprise CAs (you don't say if it's enterprise of standalone), it possibly
stores the associated user account as the UPN, rather than the DN, as you
might expect for x.509/500 compliance. If this is the case, then the
behaviour is unfortunately as expected.
I haven't got access to an enterprise CA at the moment, so this is pure
conjecture, but as no-one else has suggested anything yet I thought I'd have
"Rob McShinsky" wrote:
> Currently I have a 2-tiered CA infrastructure with and Offline root and
> issuing CA's. I am having an issue in my testing with changing the UPN name
> of a users and then reissuing a Smartcard User/Logon certificate to them.
> The process goes as follows:
> 1. Format Smartcard.
> 2. Clear all Smartcard certs from the users machine.
> 3. Revoke Smartcard certs from issuing CA.
> 4. Republish CRLs.
> 5. Change users UPN name to correct custom UPN name (not fully qualified
> domain name).
> 6. Reissue Smartcard cert to user with new UPN name.
> This fails with the error message. "The system could not log you on. Your
> credentials could not be verified" Before the UPN name change in this test
> (using the USERNAME@FULLYQUALLIFIEDNAME) Smartcard Logon worked fine so it
> seems that CRL and Cert trusts are all correct. Also creating a new user
> with the shortened, custom UPN name works correctly. Am I forgetting to
> clean some piece out of AD before creating the new cert with a different UPN
> name? If I again clear out the card and revoke the certs and change the UPN
> suffix back to its original state, Smartcard Logon works correctly again for
> this user. Does anyone know what I am missing?
> Rob McShinsky