4.5

Table Of Contents
Prepare Active Directory for Smart Card Authentication
You
might need to perform certain tasks in Active Directory when you implement smart card authentication.
n
Add UPNs for Smart Card Users on page 125
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users
that use smart cards to authenticate in View must have a valid UPN.
n
Add the Root Certificate to the Enterprise NTAuth Store on page 126
If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate
to the Enterprise NTAuth store in Active Directory. You do not need to perform this procedure if the
Windows domain controller acts as the root CA.
n
Add the Root Certificate to Trusted Root Certification Authorities on page 126
If you use a CA to issue smart card login or domain controller certificates, you must add the root certificate
to the Trusted Root Certification Authorities group policy in Active Directory. You do not need to
perform this procedure if the Windows domain controller acts as the root CA.
Add UPNs for Smart Card Users
Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users that
use smart cards to authenticate in View must have a valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate was issued
from, you must set the user’s UPN to the SAN contained in the root certificate of the trusted CA. If your root
certificate was issued from a server in the smart card user's current domain, you do not need to modify the
user's UPN.
NOTE You might need to set the UPN for built-in Active Directory accounts, even if the certificate is issued
from the same domain. Built-in accounts, including Administrator, do not have a UPN set by default.
Prerequisites
n
Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
n
If the ADSI Edit utility is not present on your Active Directory server, download the Windows Support
Tools from the Microsoft Web site.
Procedure
1
On your Active Directory server, start the ADSI Edit utility.
2 In the left pane, expand the domain the user is located in and double-click CN=Users.
3 In the right pane, right-click the user and then click Properties.
4 Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.
5 Click OK to save the attribute setting.
Chapter 7 Setting Up User Authentication
VMware, Inc. 125