How to set up certificate-based authentication across forests without trust for a web server

Applies to: Windows Server 2016


This article describes how to set up a web server to use smart cards for cross-forest certificate-based authentication when the user forests and the resource forest do not trust one another.


Consider an environment that uses the following configuration:

  • A user forest that is named
  • A resource forest that is named The forest has added as an alternate User Principal Name (UPN).
  • There is no trust between the two forests.
  • User smart cards use certificates that have Subject Alternative Name (SAN) entries of the format
  • An IIS web server that is configured for Active Directory Certificate Based Authentication.

Configure Active Directory and the web server as described in the following procedures.

Configure Active Directory

To configure the resource forest to authenticate smart cards:

  1. Make sure that a Kerberos Authentication Certificate that has a KDC Authentication extended key usage (EKU) has been issued to the domain controllers.
  2. Make sure that the Issuing CA certificate of the user’s certificate is installed in the Enterprise NTAUTH store.

    To publish the Issuing CA certificate in the domain, run the following command at a command prompt:
    certutil -dspublish -f <filename> NTAUTHCA
  3. Users must have accounts that use the alternate UPN of the resource forest.
    User Properties

To configure the user forest, follow these steps:

  1. Make sure that you have Smart Card Logon and Client Authentication EKU defined in the certificate.
  2. Make sure that the SAN of the certificate uses the UPN of the user.
    SAN of the certificate
  3. Make sure that you install the Issuing CA Certificate of the user certificate in the Enterprise NTAUTH store.

Configure the web server

To configure the IIS Web server in the resource forest:

  1. Install the IIS Web server role, and select the Client Certificate Mapping Authentication Security feature.
    Select server roles
  2. On the IIS Web server, enable Active Directory Client Certificate Authentication.
    IIS configuration
  3. On your website, configure SSL Settings to Require SSL and then under Client certificates, select Require.
    SSL Settings

More information

If you want to set up delegation on this resource web server to query a backend server, such as a database server or a CA, you may also configure constrained delegation by using a custom service account. Additionally, you must set up the web server for constrained delegation (S4U2Self) or protocol transition. For more information, see KB4494313, How to configure Kerberos Constrained Delegation (S4U2Proxy or Kerberos Only) on a custom service account for Web Enrollment proxy pages.

If you want to skip the UPN in the SAN attribute of the user smart card certificate, you have to either explicitly map by using AltSecID attributes, or use name hints.


If you publish the SAN attribute as the intended UPN in the user's certificate, you should not enable AltSecID.

To check the NTAuth store on the web server, open a Command Prompt window and run the following command:

Certutil -viewstore -enterprise NTAUTH