Dear ADFS experts!
I am trying to get the certificate based authentication with ADFS 4.0 working. I have an O365 tenant federated with my on-prem AD. Certificate Authentication is enabled for Intranet and Extranet. When I obtain a certificate from the standard User template and
use if for authentication I have no problem so in principle the configuration works.
Now the tricky part:
I have the requirement that no SubjectAlternativeName is present in the certificate so I use a duplicate of the User template where I only add the distinguishedName as stored in AD in the subject of the certificate (using the same account as in the working
scenario). But if I do not have the UserPrincipalName in the SubjectAlternativeName the cert-based AuthN won't work. I expected that it should work as long as the distinguishedName of the user is present in the certificate's subject as said in the MS Docs [1]
under Certificate Authentication:
The certificate must map to the user account in AD DS by either of the following methods:
The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.
The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS.
The error message in the ADFS Event Log says in short (Event IDs ADFS 111 and ADFS 364):
Exception details:
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
...
Is there anything I am missing? Did someone get the certificate based AuthN to work without the UPN in the SAN, just with the FDN in the certificate's subject?
I am looking forward to hearing from you!
Greetings
kuenni
[1] https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-requirements#BKMK_10
