Disable SAN to UPN mapping on W2012R2 and ADFS 3.0

  • 114 Views
  • Last Post 05 August 2015
tonyszko posted this 27 July 2015

Hi

We are working on validation of some scenario in lab env and part of it is that we want to allow users to use 3'rd party certs to authenticate on ADFS 3.0 as primary authentication method.

We've tried to disable SAN To UPN mapping as in our certs SAN contains some completely not domain related information and for sure not user UPN (https://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx) however it looks like it is ignored either at ADFS.

We have mapping for account to specific cert ans SAN to UPN mapping disabled, however when cert is presented to ADFS we can see at DC always attempt to log on with user name from SAN. 

Anyone had tried something like this or has experience with cert to user accounts mapping? 



-- Tomasz Onyszko | Predica Blog (Company): http://blog.predica.pl Blog (EN): http://blogs.dirteam.com/blogs/tomek/ Blog (PL): http://www.w2k.pl

Order By: Standard | Newest | Votes
ThomasVuylsteke posted this 03 August 2015

I’ve worked with certificate based authentication. Typically “Belgian EIDs”. In my experience it really depends on software if it supports “name mappings” or

not. ISA/TMG and smart card logon do just fine. Not sure about ADFS.

 

show

tonyszko posted this 05 August 2015

Thank you for answer. Yes - it looks like ADFSv3 has an issue with it. No exactly not supporting it but using UPN in a process and always taking UPN from the cert subject. 












--

Tomasz Onyszko | Predica

Blog (Company): http://blog.predica.pl

Blog (EN): http://blogs.dirteam.com/blogs/tomek/

Blog (PL): http://www.w2k.pl
















show

Close