Finally have some progress. After we added SPN to the computer object ISE is able to do lookup in AD and Win machine can authenticate with GPO generated certificate. However, Linux machine certificate FAILED with the same "ERROR_NO_SUCH_USER" So the problem now is in the Linux cert. One thing I noted in the Radius logs is that the usernames in successful authentications appears like: host12345$@domain.xxx.xx , but failed one are like: host54321.domain.xx.xx. I guess $ and @ are used to construct the Username from some of the cert objects..... What objects are used? In the Linux cert we don't use SAN, my understanding it shouldn't matter as long as CN is matching SPN in AD object. Regards, Stan ... View more

"authorization of the machine based on its presence in AD, or membership in group" - that is exactly the use case. Clarification on some of the points: External CA (integrated with AD) is used to issues Win certificates and sign Lunix machine certs. There is no intent to do cert binary comparison. Here is what we've done: "Test User" function for t est Machine account returns FAIL with "ERROR_NO_SUCH_USER", but test User account with the same name returns SUCCESS. In The Cert Auth Profile we tried to use all possible attributes i.e. CN, SAN, Subject, no luck. Also, I'm unable to find " subject principal name (SPN) attribute" in the AD computers. There is userPrincipalName, but no "subject"... Is this correct attribute or I missed something? We also tried to use LDAP as identity store in Cert Auth Profile, however it has Binary Comparison always ON (no option to untick it) that makes things even more complicated. In this case we receive error: "Cannot retrieve user's certificate" even if the certificate is loaded into subject's AD account. "adding into AD for access based on LDAP" - We've setup ISE to do LDAP search in the root container (Directory Organization), Any other suggestions? Regards, Stan ... View more