Because smart card logins rely on user principal names (UPNs), the Active Directory accounts of users and administrators that use smart cards to authenticate in Horizon 7 must have a valid UPN.
If the domain a smart card user resides in is different from the domain that your root certificate was issued from, you must set the user’s UPN to the Subject Alternative Name (SAN) contained in the root certificate of the trusted CA. If your root certificate was issued from a server in the smart card user's current domain, you do not need to modify the user's UPN.
You might need to set the UPN for built-in Active Directory accounts, even if the certificate is issued from the same domain. Built-in accounts, including Administrator, do not have a UPN set by default.
Obtain the SAN contained in the root certificate of the trusted CA by viewing the certificate properties.
If the ADSI Edit utility is not present on your Active Directory server, download and install the appropriate Windows Support Tools from the Microsoft Web site.
- On your Active Directory server, start the ADSI Edit utility.
- In the left pane, expand the domain the user is located in and double-click CN=Users.
- In the right pane, right-click the user and then click Properties.
- Double-click the userPrincipalName attribute and type the SAN value of the trusted CA certificate.
- Click OK to save the attribute setting.