maxwellfunk
commented
3 years ago Name mapping the admins account (e.g., 123456789-ADM) in AD and leaving the standard user account name mapping blank will facilitate this functionality.
Closed djpackham closed 3 years ago
maxwellfunk
commented
3 years ago Name mapping the admins account (e.g., 123456789-ADM) in AD and leaving the standard user account name mapping blank will facilitate this functionality.
Description of Issue:
When enabling username hints is there a way to set the non-privileged user accounts as default and leave the hints field blank? This seems to work if the UPN in AD and the UPN in the PIV authentication certificate match. However, for misconfigured UPNs either in AD or in the PIV auth cert, is there a way to set Windows to not match users by UPN when the system detects a PIV credential, but rather something like subject + issuer?
Details of Issue:
It seems when you insert your PIV card and the system recognizes it, a mapping is being done between the user's AD UPN value and UPN value on the PIV authentication certificate. The issue is some agencies AD UPN value and UPN value on the PIV authentication certificates mismatch. In this case, Windows doesn't know which account they're trying to login with and requires the user to enter a username in the hints field.
References (Docs, Links, Files):
If a New Page or Content is Needed, Expected Outcomes:
Link to the Content Page for Contributors: