Subject Alt: Email for GP authentication

I'm trying to setup 2 factor autehntication for GP users; client certificate and GP credentials.

I already made it work with self signed CA on PA where I'm issuing certificates with LDAP username in certificate subject. So once the user selects the correct certificate, username field is poulated with LDAP username from certificate subject field.

Now I'm trying to make the same scenario with CA i don't control and where I can't demand CA to issue certificates with LDAP usernames as certificate subject. But these certificates do have an email address as alternative subject parameter. So instead of selecting 'subject' as username field in Certificate Profile I select Subject Alt and Email for username field. However when I try to login to GP portal i'm still getting subject field (which is name and surname) in user login field. I would be expecting email in this field. I've checked the certifiate and it has email in subject alternative name field:

Then next step will be modifiying authentication profile to accept email for login imo.

I did a packet capture and I can see that LDAP authentication profile is trying to send mail as login atribute but the value is still from certificate subject instead of subject alternative parmameter email as configured in certificate profile:

I have not used it in this way but what happens if you add the user domain in the auth profile and set modifier to :-

"%USERINPUT%@%USERDOMAIN&

i have tested part of this and my certificate alt email of mick.ball@domain.com is only adding mick.ball to the ldap authentication window.

Ty for your suggestion. 

But I'm stuck one step before this imo. In your case PA is already taking alternative subject parameter with email address from certificate it seems. While in my case PA keeps taking subject parameter even tho I change my certificate profile to fetch Alt Subject Email from certificate.

although you have no control over issued certificates you could generate your own root cert on the PA and then sign user certs from this, then create a test certificate profile and play with this on a test portal.

that is what i am doing

to confirm . this is the settings i have.

Certificate Profilemy certificateoutput on iphone GP.

please note that when i generated my test certificate and added the email address to email it did not work, but when i added it as alt email it did work as expected.

perhaps this is your issue.

What were you getting as username when you were using 'normal' email addres in certificate (instead of alt email)? Whatever was in certificate subject? Or some different error?

Tho looking at your client cert and mine (in post above) the field looks the same.

yes they do look the same but windows may be collating this information from different fields to the PA.

when I added my emai to 'email' the auth failed and I was not prompted for ldap auth, the client on my iphone stated 'invalid certificate'.

it only started working when i added email to 'alt email'. this prompted me to login as michael.ball but my cn for my cert is mick ball, not michael.ball.

Ok, thanks so far. I'll play a bit more with local CA first and email/alt email fields.

I made a new cert with local CA with email and alt email properties. And "subject alternative name property" is definitelly alt email as PA understands it. Because email is expected in subject of certificate, while alt email goes in extended properties.

Cert made with CA on PA: