Please feel free to provide feedback or file bugs here.

Get-Credential does not support Smart Card user name hints

If you utilize Smart Cards with certificates that are not directly linked to users (no suitable user DN in Subject and no UPNs in SANs), you are able to link a single certificate to multiple accounts dynamically with the caveat that users need to provide explicit user name hints during logon in order to log on.

User name hints need to be enabled via GPO or registry settings ("X509HintsNeeded"), after which all standard credential dialogs in Windows support them, except PowerShell's Get-Credential. This effectively prevents using PowerShell remoting with such Smart Cards / certificates if different credentials are required.

In today's landscape where Microsoft recommends explicitly tiering your infrastructure and user accounts and using secure methods of administration such as PowerShell Remoting, the omission of this feature is a big letdown. It also reinforces bad habits because Remote Desktop fully supports this scenario while PowerShell does not.

This feature should be implemented.

4 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Joonas TuomistoJoonas Tuomisto shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base