Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
0
Helpful
1
Replies

Changing Microsoft AD UPN for AD User is not being reflected on new User Certificate

joshhunter
Level 4
Level 4

‎03-12-2020 08:08 AM - edited ‎03-12-2020 08:09 AM

Hello, although not strictly an ISE issue, a customer has changed the UPN for a few Active Directory users.

For example, 

FROM- FirstnameLastName@customer.com TO - Firstname.LastName@customer.com.

 

This is not being reflect in the new certificate which is being pulled down. It still remains as the old UPN. 

Thus, when ISE Authenticates the user it works, but when authorising the user it fails. This is because it cannot find the user without the [.] in the identity (the new identity includes .) 

 

Tried gpupdate/force, deleting and manually requesting new cert. Even on a fresh PC the same old identity is in the certificate. 

 

Also tried, changing all of the fields (UPN and SAM account name) and all AD attributes pertaining to old name without said [.].

 

Any ideas? 

0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎03-12-2020 09:25 AM

Hi,

    

    Try the following:

          - restart the Active Directory CA, see if it's fixed

          - delete and recreate the Certificate Template on the AD CA, which was used to provide user certificates, see if it's fixed

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents