mitigation-x509certificateclaimset-findclaims-method.md

title	description	ms.date	ms.assetid
Mitigation: X509CertificateClaimSet.FindClaims Method	Learn how the X509CertificateClaimSet.FindClaims method has changed for apps that target .NET Framework 4.6.1.	03/30/2017	ee356e3b-f932-48f5-875a-5e42340bee63

Mitigation: X509CertificateClaimSet.FindClaims Method

Starting with apps that target .NET Framework 4.6.1, the xref:System.IdentityModel.Claims.X509CertificateClaimSet.FindClaims%2A?displayProperty=nameWithType method will attempt to match the claimType argument with all the DNS entries in its SAN field.

Impact

This change only affects apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1.

For apps that target previous versions of the .NET Framework, the xref:System.IdentityModel.Claims.X509CertificateClaimSet.FindClaims%2A?displayProperty=nameWithType method attempts to match the claimType argument only with the last DNS entry.

Mitigation

If this change is undesirable, apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1 can opt out of it by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
   <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=true" />
</runtime>  

In addition, apps that target previous versions of the .NET Framework but are running under the .NET Framework 4.6.1 and later versions can opt in to this behavior by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
    <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=false" />
</runtime>  

See also

• Application compatibility