Login/Register
CAC cards and web servers
Asked Answered
Solved c#asp.netcertificatecac
N

2

6

I have a client that wants to implement CAC with our website. Usually the user already has access based on the certificates assigned to them.

They want to be validated by entering their CAC pin code when they click a button to log in.

I'm using ActivClient to manage the CAC but I don't know how to have the website communicate with the card reader to have the user input the pin code and validate it.

Is this done through IIS settings or do I have to update my code to somehow communicate with the middleware?

Thanks in advance

Novelty answered 18/5, 2015 at 19:23 Comment(0)
B
8

The solution we used involved a few configuration changes to IIS as well as some code changes to use the information provided by the CAC.

In IIS (8.0), we just set the Authentication to Anonymous Authentication. In SSL Settings, we checked Require SSL and under Client Certificates, select the Require option.

After you've authenticated, depending on what information you need access to from the certificate, you can access it using this method:

X509Certificate2 certificate = new X509Certificate2(Request.ClientCertificate.Certificate);

This will give you the certificate object that contains the information that the CAC carries. You can access some of these properties by using

certificate.GetNameInfo(X509NameType.SimpleName);  //X509NameType.EmailName, etc
Balefire answered 18/5, 2015 at 20:56 Comment(2)
So is requesting the x509certificate prompt the user to enter their pin code? That is the part that confuses me. How is that communication happening and how would my application know if it passed or failed? Would it bet the X509Certificate2 certificate = new X509Certificate2(Request.ClientCertificate.Certificate); would return null? Thanks for the quick response btw, I greatly appreciate it.Novelty
The part that prompts the user to enter the pin is the IIS Setting in the SSL Settings section where you make Client Certificates Required. In that area there are 3 options: Ignore, Accept, and Require. Ignore will not prompt you at all. Accept will prompt you, but if you hit Cancel, it will let you through. Require will prompt you and give you a 403 error if you hit Cancel. Once you have chosen a certificate, Request.ClientCertificate.Certificate will be populated. If you were not prompted, then that object will be null.Balefire
L
2

I recently dealt with this with the DoD. There is no code involved, all you have to do is set the the IIS site to use Integrated Security (or possibly certificate authentication based on your AD configuration) and turn off the other authentication mechanisms. The browser will then prompt the user for credentials using the method configured in Active Directory, which should show the CAC certificate selection and PIN window if they are using AD correctly. Note that you must also be using HTTPS or the browser will not pass the CAC credentials to the server for security reasons.

Less answered 18/5, 2015 at 19:48 Comment(3)
We did ours differently. In IIS, we set Authentication to Anonymous Authentication. Then in SSL Settings we checked Required SSL and selected the Require option for Client Certificates.Balefire
That's certainly another option that you should add as an answer. The requirement for my project was to pull the user's credentials from active directory without prompting for a username and password while verifying CAC. That may not be exactly what the OP wants. Your solution will allow CAC authentication plus the ability to log in as a different user. His solution will depend on exactly what the requirements are. There are a few ways to do this and almost all of them involve IIS configuration without any code.Less
I don't need to verify anything with Active Directory for authentication, I'm going to get the unique identifier from their cac certificate to bypass login on our database. Will this model still work? Thanks for the help btw, I really appreciate it.Novelty

© 2022 - 2024 — McMap. All rights reserved.