Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 10, 2017 6:46 PM
I have multiple user accounts mapped to a single smart card and need to authenticate at the command-line (either cmd or powershell). There seems to be a lack of smart card logon username hint support in windows command line tools. I have tried runas.exe /smartcard <program> and Start-Process <program> -credential $cred. Both methods prompt for a smart card PIN, but neither allow the entry of a username hint which is required for mapping the smart card credential to the correct domain user account.
I found this similar thread with no solution: https://social.technet.microsoft.com/Forums/windows/en-US/68ed6d2f-d0c0-4cc3-a076-fe364f8f092e/why-not-allowance-for-user-name-hint-in-runas-with-smartcard
Surely in Windows 10 there is a way to do this?
All replies (13)
Tuesday, April 11, 2017 9:16 AM
Hi Joke,
We are currently looking into this issue and will give you an update as soon as possible.
Thank you for your understanding and support.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, April 13, 2017 3:55 PM
Thanks for the reply. Let me know if I can provide any further information to assist.
Friday, April 14, 2017 3:17 AM | 1 vote
Thanks for the reply. Let me know if I can provide any further information to assist.
Hi joke,
Group Policy for "User Name Hint" only works for LogonUI (windows console logon).
Please try the following command:
runas /smartcard /user:<domain\samAccountName>
If it does not work, then runas.exe does not support name hint.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 14, 2017 11:26 AM
My question is not purely runas related, but could be re-phrased as "How can you authenticate with smart card and username hint at the windows commandline?"
This is what happens if I use RunAs with an account that works fine through LogonUI:
runas.exe /smartcard /user:<domain\username> cmd.exe
Reading smart cards........
Using the card in reader 1. Enter the PIN:
Attempting to start cmd.exe as user "Certificate Friendly Name for User" ...
RUNAS ERROR: Unable to run - cmd.exe
1326: The user name or password is incorrect.
This event is logged on the system:
Log Name: Security
Date: 4/14/2017 1:19:32 PM
Event ID: 4625
Keywords: Audit Failure
Description:
An account failed to log on.
Subject:
Security ID: domain\username
Account Name: username
Account Domain: domain
Logon ID: 0x26D6F76F
Logon Type: 2
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: username
Account Domain: domain
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0xC00002F9
Process Information:
Caller Process ID: 0x448
Caller Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: COMPUTERNAME
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: seclogo
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Tuesday, April 18, 2017 5:47 AM
Hi Joke,
Firstly, we should be agreement this cannot be done via command line.
Please confirm you have done these settings:
1. Correctly map the user account to smart card as this guide:
Mapping One Smartcard Certificate to Multiple Accounts.
2. Disabling the UPN mapping enables certificate mapping in Microsoft Windows Active Directory. Located to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
3. Change the value of the DWORD UseSubjectAltNameto 00000000.
Afterwards, smartcard certificate information will be imported in user account's attribute: altSecurityIdentities.
And next please run Runas /smartcard with /user parameter again for test.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 19, 2017 12:01 PM
Firstly, we should be agreement this cannot be done via command line.
Why are we in agreement that smart card logon with username hint is not possible from the windows command-line? That was the whole point of my posting to this forum. To find out how this can be done. It seems like a huge oversight to integrate username hint into the LogonUI but completely leave it out of command-line tools.
I cannot disable UPN mapping, because there are multiple certificates on the smart card, and one of them requires the UPN mapping. Another certificate on the same card is used for certificate name mapping (with username hint + the 'Allow certificates with no extended key usage certificate attribute' policy enabled). I know that the smart card certificate mappings are correct, because I am able to authenticate to all accounts from the LogonUI. I only have an issue authenticating to the name mapped accounts from command-line. UPN mapped accounts work from the command-line, but you are limited to 1 user account per certificate.
Friday, April 21, 2017 10:23 AM
Hi,
Since on the forum support, we have no same lab environment to do test.
You may try to open a premier support ticket. The premier engineer has a higher level, they may have more resources to help you.
Support requests
https://support.microsoft.com/en-us/premier
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, May 1, 2017 4:06 PM
Thanks. I have reached out to Microsoft support to open a case. I will update this thread with their response.
Monday, May 8, 2017 8:25 AM
Thanks. I have reached out to Microsoft support to open a case. I will update this thread with their response.
Ok. Look forward to your reply.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, July 25, 2017 5:55 PM
Any progress on this query? I am actively searching for the same type of solution. Curious if things like VB/C# have also been ruled out? Start-Process -Credential $cred would obviously be the preferred method, but wonder how the username hint is expected and possibly adding it to the smartcard cred before passing it as $cred.
For example: running a get-credential to grab the smartcard and pin; then assigning a variable with ($host.UI.PromptForCredential).UserName to get the username hint. While both are easily done, not sure how to combine them such that the DC will process the authentication. Hope you have had some luck from Premium Support. :)
Wednesday, September 5, 2018 3:22 PM
Any progress on this query?
No luck with Microsoft support. I was told the username hint is only supported in LogonUI and there isn't a plan to add username hint support into PowerShell's functionality. I should submit a design change request if I want the functionality added.
It would make sense for PowerShell to support the same authentication methods as LogonUI.
The PowerShell GitHub repo issue #4670 seems to be on the right track to solving a similar issue with the PowerShell Get-SmartCardCred function. But it still does not support username hint.
Friday, January 18, 2019 4:37 PM
Any luck with this issue? I'm searching for a solution to this problem as well.
Saturday, January 19, 2019 12:20 AM
Unfortunately, no :(