Smart card logins rely on user principal names (UPNs), so the Active Directory accounts of smart card users must have a valid UPN for authentication.

If the smart card user resides in a different domain from which the root certificate was issued, you must set the user's UPN to the subject alternative name (SAN) contained in the root certificate of the trusted CA.

If your root certificate was issued from a server in the smart card user's current domain, you do not need to modify the user's UPN.

1. On Windows Server, open Server Manager.
2. Expand Roles > Active Directory Domain Services > DomainName and click Users in the left pane.
3. In the right pane, right-click the user you want to associate with the smart card and select Properties.
4. On the General tab, type the name and email address of the user in the domain.
5. On the Account tab, type the User logon name and the user's domain.
6. Click OK to close the window.