How to handle certificate authentication when UID is mapped to UserID or Email Address ?

Document ID : KB000047061
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue :

I have in my company 2 types of certificates: 1 with "UserID" in the Certificate "Subject", and 1 with "Email Address" in the Certificate "Subject".
When a user with "Email Address" in its Certificate Subject tries to authenticate, the authentication fails. The Policy Server doesn't find the user in the User Directory, because the User Directory is configured with UID attribute mapping to "UserID" and not "Email Address".

Environment :

Policy Server R12.52 SP1;

Cause :

By default, the User Directory definition gives only 1 attribute mapping for the UserID.

Solution :

A quick workaround is to configure a similar Second User Directory definition with the UID attribute mapped to "Email Address". Once the User won't be found in the first User Directory where the UID is mapped to the certificate "UserID", then it will look in the second User Directory, for which the UID is mapped to the "Email Address" and the user will be found.