On Feb 23, 2011, at 5:11 PM, Will Coleman wrote:
However, when I moved over to Mac, it would not log me on with the longer string but the shorter string, or just the NT Principal name ³2001361506@mil² and not ³2001361506170084@mil².
See my previous; this is probably because OS X sees the card as a CAC & automatically selects the email signing cert which only has the shorter UPN.
How does one map those two names together on one account if it¹s even possible?
The only way to do this is to set the DC to ignore the UPN entirely and use the altSecurityIdentities attribute to map the cert to an account: http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx You can map both cert to the same account, but you'll have to use altSecurityIdentities to do so. See the Windows Vista Smart Card Infrastructure doc I linked to earlier for more, plus this blog post: http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-cer... Bear in mind that this is *not* currently the standard configuration for DoD AD smartcard logon. You can play with it, and it may someday be deployed in wide use, but for now it's not a supported configuration in any CC/S/A I'm aware of. -- Tim