CredUI selects wrong Smartcard certificate
Hi Community,
I experience an issue, that not the certificate I would expect according to the "Filter duplicate logon certificates" Group Policy is shown by CredUI when the certificate was issued using the certreq.exe command. If I issue certificates from the same certificate templates using the Windows Autoenrollment process everything works as expected.
Example 1:
Enrollment of 3 smartcard certificates using Autoenrollment:
Auto1-->Auto2-->Auto3
Certificate Auto3 is displayed by CredUI, as it is the last to expire. Auto1 and Auto2 is filtered out due to the policy --> This is the expected behavior from my side.
Example 2:
Enrollment of 3 smartcard certificates using certreq submit:
Certreq1-->Certreq2-->Certreq3
Certificate Certreq1 is displayed by CredUI --> From my understanding this is wrong, since it's not the last to expire.
If I disable the policy and select Certreq3 to authenticate I am able to authenticate using this certificate.
Example 3:
Enrollment of 3 smartcard certificates using certreq submit and Autoenrollment:
Certreq1-->Auto1-->Certreq2
Certificate Auto1 is displayed by CredUI --> From my understanding this is wrong, since it's not the last to expire.
The issued certificates from Autoenrollment and Certreq have identical attributes and extensions. The only difference I notice is, that the order in which the extensions are displayed are different, but this shouldn't play a role in it's function.
Does anybody have an idea, why the behavior is like that or how I can find out the selection logic used by CredUI in this case ?