My MOSS 2007 instance (IIS 6) uses Windows Authentication and IIS’ Directory Service Mapping (against Active Directory), allowing the user to authenticate using only her smartcard client certificate, without any username/password, and regardless of what (if any) domain the client workstation is joined to. The IIS instance is set to require client certificates.
My understanding is that, for IIS to find (in Active Directory) an account associated with the client certificate, it must be able to read from it a “User Principle Name” (sometimes called “User Logon Name”).
My user’s smartcard has two client certificates issued by the same Root CA. One specifies a UPN. The other does not. She’s able to choose from either certificate when accessing the site. If she chooses the certificate without the UPN, authentication is certain to fail.
What can I do to make the browser’s certificate selection dialog show only certificates which IIS at least has a chance of matching to an account (again: DSM & AD)?
Put more technically: how do I limit the MOSS user’s client certificate selection options to those that have a UPN in the “Subject Alternate Name” field?
I don’t think you can change this. I believe the certificate selection screen is part of Internet Explorer.
If the user chooses a certificate that doesn’t have a UPN associated, you could prompt the user to select another certificate and try again.
Edit: Since tapping into the MOSS security framework could be difficult, you can implement this as an HTTPHandler and add it to the MOSS root web.config.
When the user request comes in, the handler gets first dibs and can redirect to the “try again” page if the UPN is missing from the cert.
The “try again” page will have to retry the request by opening another window to get another certificate prompt.