Certbased AuthN not working with only distinguishedName in certificate RRS feed

  • Question

  • Dear ADFS experts!

    I am trying to get the certificate based authentication with ADFS 4.0 working. I have an O365 tenant federated with my on-prem AD. Certificate Authentication is enabled for Intranet and Extranet. When I obtain a certificate from the standard User template and use if for authentication I have no problem so in principle the configuration works.

    Now the tricky part:
    I have the requirement that no SubjectAlternativeName is present in the certificate so I use a duplicate of the User template where I only add the distinguishedName as stored in AD in the subject of the certificate (using the same account as in the working scenario). But if I do not have the UserPrincipalName in the SubjectAlternativeName the cert-based AuthN won't work. I expected that it should work as long as the distinguishedName of the user is present in the certificate's subject as said in the MS Docs [1] under Certificate Authentication:

    The certificate must map to the user account in AD DS by either of the following methods:
        The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.
        The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS.

    The error message in the ADFS Event Log says in short (Event IDs ADFS 111 and ADFS 364):
    Exception details: 
        System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)

    Is there anything I am missing? Did someone get the certificate based AuthN to work without the UPN in the SAN, just with the FDN in the certificate's subject?

    I am looking forward to hearing from you!


    [1] https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-requirements#BKMK_10

    • Edited by kuenni Tuesday, January 22, 2019 3:33 PM
    Tuesday, January 22, 2019 3:31 PM