ADFS Client Certificate Authentication with CN and Subject Alternate Name different from UPN

I am trying to implement client authentication for a SharePoint application using client certificate authentication.

The certificate for the users are issued by an external certificate authority and we map the certificate to users in the Active Firectory by name mapping the certificate value for CN. However, the CN of the certificate does not match the UPN in Active Directory and I have no control for how the CN is created (external CA).

When users are trying to log in by the client certificate(we enable the external authentication withe certificate + add all root CA to the Trusted store so the client certificate can be trusted), the user gets prompted to choose the certificate and after that, they receive the the following error:

The Federation Service encountered an error while processing the WS-Trust request.

Request type: schemas.microsoft.com/idfx/requesttype/issue

Additional Data Exception details:

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate) at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate) at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName) atMicrosoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims)

Ensure that the Alternate ID match is done with the thumbprint of the certificate.

Based on your error message some possible scenarios are:

• Your ADFS service account cannot read the pwdlastset value from users in your child domain - check effective permissions.
• The users in the child domain have never set a password, or the value for pwdlastset is set to a very large or very small value that cannot be proceed by file time -this might happen if the users are provisioned with an Identity Management tool that is writing to the AD database in a specific way.

Manually create a user in the child domain and see if the user can login. If it cannot, disable inheritance on the object and assign read all properties permission to the service account - remove any Deny permissions from the user.