ADFS 3 Client certificate authentication with CN different from UPN RRS feed

  • Question

  • Hi 

    We are trying to implement client authentication for claim-based web application using client certificate authentication.
    The certificate for the users issued by external certificate
    authority. and we map the certificate to users in the active directory by name mappingThe certificate value for CN does not match the UPN in the DC ! and i have no control for how CN is created (external CA).

    when users are trying to log in by the client certificate(we enable the external authentication withe certificate + add all root CA to the Trusted store so the client certificate can be trusted), the user prompt to choose the certificate and after that we are getting the following error:

    The Federation Service encountered an error while processing the WS-Trust request.Request type: schemas.microsoft.com/idfx/requesttype/issue

    Additional Data
    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect   at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)   at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)   at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)   atMicrosoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)

    i have try to use the "Configuring Alternate Login ID"

    but it's only good for forms authentication ... 

    any help ? 



    Thursday, November 2, 2017 10:37 PM

All replies

  • Is the CN of the certificate the UPN of the user? If not, the alternate ID match will have to be done with the thumbprint of the cert. Is that also correctly done in AD?

    Note that it also requires at least 2008 AD functional level.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 3, 2017 1:27 PM
  • hi

    thank you for the replay.

    "Is the CN of the certificate the UPN of the user" no this is the issue ... 

    and the mapping in the DC is not by the thumbprint. 

    the mapping is with the real CN value from the client certificate.  something like:

    CN= mr jhone smit number_123456

    and "123456 it;s the value i have for them as UPN in the DC 

    i have more then 1500 users with certificates (working with asp.net application, behind TMG with KCD from the TMG to the ASP.Net web app, so users do certificate authentication with TMG and TMG transforms to NTLM\Ker) , i cant remap their certificate, i dont have their thumbprint.

    where can i find information for this requirement ? 

    cant i do something with claim rules language ? 

    thank you


    Saturday, November 4, 2017 6:43 PM
  • Hi, did you ever find a solution to this?
    Thursday, August 8, 2019 6:44 AM