Edit this page

Account Linking

For your network domains, you will need to associate the PIV credential to the user accounts. This is the account linking information discussed in the Identifiers section. The most common questions for US Federal Government and using PIV for network authentication are related to linking a PIV credential to network user accounts.

This page includes the information on the Identifiers for account linking in network authentication:

Comparing Principal Name versus altSecurityIdentities options

There are two attributes in your network domain directories to choose from:

  • Principal Name
  • altSecurityIdentities - recommended

For the Principal Name approach:

  • Each PIV credential can only be associated with ONE account
  • The User Principal Name value from the Subject Alternate Name in the PIV authentication certificate is required to be populated during PIV credential issuance
  • There is no flexibility for associating the PIV credential to separate privileged accounts
  • There is less flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-Interoperable credentials

For the altSecurityIdentities approach:

  • Each PIV credential can be associated with MORE THAN ONE account
  • Six options from the certificate can be used to map to each account
  • This provides flexibility for managing privileged accounts and using one PIV credential to authenticate to more than one account
  • Users are presented a second User Name Hint field during network authentication to identify which account the user wants to access
  • There is more flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-Interoperable credentials

PIV Certificates and UPN values

It is not required that you update your PIV credentials and certificates to not have a UPN value populated to use the altSecurityIdentities approach. This is a common misconception due to incorrect information found elsewhere online. If your PIV Authentication certificates do contain a UPN value in the Subject Alternative Name extension, altSecurityIdentities will still work for you, your agency, and your users.

Implementing altSecurityIdentities and PIV certificate mapping

If you have a large network with many domains, you will want to carefully plan for a migration from solely using Principal Name to the altSecurityIdentities approach.

You may find that you have many applications that rely upon the Principal Name values only. You can still populate the Principal Name with the PIV Authentication certificate User Principal Name value for one of the user accounts (the non-privileged accounts) to maintain those applications but disable user principal name mapping for network authentication.

You have three steps to implement altSecurityIdentities and PIV certificate mapping:

Disable User Principal Name Mapping

To implement the altSecurityIdentities approach, you will need to disable subject alternate name for the network domain. This setting simply tells your network domain: I don’t always want to use the Subject Alternate Name values for my user certificates.

This is a registry setting and you must disable this setting on all domain controllers:

Management of registry settings should use group policy objects or other centralized management options,

You need to link the PIV Authentication certificate to each of the user’s accounts. You implement this by populating one of the PIV Authentication certificate identifiers to the altSecurityIdentities attribute for each account.

  • You have six options from the certificates to use
  • A common challenge is determining how the certificate values should be mapped. A table is shown below with options and example values which closely resemble a production format for PIV Authentication.
Options Tag Example Considerations
Subject X509:<S> X509:<S>C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=25001003151020 For certificates which assert the UID identifier (0.9.2342.19200300.100.1.1) or other object identifier in the common name, the identifier is prepended with the OID qualifier.
Issuer and Subject X509:<I><S> X509:<I>C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA<S>C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=47001003151020 Note the spaces carefully when testing and machine readable formats of the certificate extensions versus the human readable formats
Issuer and Serial Number X509:<I><SR> X509:<I>C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA<SR>46a65d49 Serial number is reversed byte order from human readable version, starting at most significant byte
Subject Key Identifier X509:<SKI> X509:<SKI>df2f4b04462a5aba81fec3a42e3b94beb8f2e087 Not generally recommended; may be difficult to manage
SHA1 hash of public key X509:<SHA1-PUKEY> X509:<SHA1-PUKEY>50bf88e67522ab8ce093ce51830ab0bcf8ba7824 Not generally recommended; may be difficult to manage
RFC822 name X509:<RFC822> Not recommended Not recommended; not commonly populated in PIV Authentication certificates

Enable User Name Hints

You need to enable user name hints for your network domain. This will modify the logon prompts for Windows workstations and servers joined to the network domain. Your users will be prompted to provide both the PIV credential PIN value and a User Name Hint value.

Username Hint Setting:
For Windows 2008 R2:
- Computer Configuration -> Policies-> Administrative Templates -> Windows Components, and then expand Smart Card.
- Select Allow user name hint

For Windows 2012:
- Computer Configuration -> Administrative Templates -> Windows Components, and then expand Smart Card.
- Select Allow user name hint

Management of smart card settings should be deployed using a group policy object for the domain.