Tim - see below: --
The only way to do this is to set the DC to ignore the UPN entirely and use the altSecurityIdentities attribute to map the cert to an account:
http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx
You can map both cert to the same account, but you'll have to use altSecurityIdentities to do so. See the Windows Vista Smart Card Infrastructure doc I linked to earlier for more, plus this blog post:
http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-c ertificate-via-all-the-methods-available-in-the-altsecurityidentities-attr ibute.aspx
Bear in mind that this is *not* currently the standard configuration for DoD AD smartcard logon. You can play with it, and it may someday be deployed in wide use, but for now it's not a supported configuration in any CC/S/A I'm aware of.
-- Tim
I took a look at this (interesting to be honest, but a hack none the less), and in many respect we don¹t care if the user setups up their AD this way, it¹s not up to us. Again, my goal here was to setup a consistent architecture that would accept both CAC certs on both Mac and Win7. If I can get a consistently running machine that I can baseline on the Windows machine and then test eventually on my Mac, I¹m all set.