Set Active Directory “Security Identity Mapping” / “Name Mapping” with C#/Powershell does not add to the right "store"

Question

I have followed this guide: https://blogs.msdn.microsoft.com/adpowershell/2009/04/26/working-with-certificates-in-active-directory-powershell/

The certificate is successfully added to the Published Certificates of the user. But it's not what I really want.

Instead I want the certificate to be added to the X509 Certificates of the AD user (Name Mapping / Security Identity Mapping in Active Directory)

Security Identity Mapping

Is there a way to do this in C# or Powershell?

Answer 1

So I've resolved the problem by following this guide.

https://blogs.msdn.microsoft.com/adpowershell/2009/04/26/working-with-certificates-in-active-directory-powershell/

Changed the command a little bit suggested by Mathias.

Set-ADUser -Certificates

Then followed this guide to fill in the parameters of altSecurityIdentities.

https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/

Now my certificate is added to X509 Certicates in Security Identity Mapping.

Here is my code:

Set-ADUser USERNAME -Add @{'altSecurityIdentities'="X509:<I>C=BE,CN=Citizen CA,SERIALNUMBER=********<S>C=BE,CN=FIRSTNAME (Authentication),SN=LASTNAME,G=FIRSTNAME,SERIALNUMBER=***********"}

Note: you can get the X509 parameters (Issuer and Subject) by opening the certificate.

I hope this can help someone else with the same problem. And thanks again Mathias!