We have developed a .NET C# web application for DoD that uses CAC (Common Access Card) as the sole method of authentication. We have a trusted SSLs on the servers, the application is running in several locations, and everything is working as it should - for the most part.
Issue #1
The primary issue is that on some of our internal development servers, when you hit 'log-in' with a valid CAC in the card reader, only one certificate displays and its not from the CAC. Its used to authenticate my work laptop with the network (the "Client Authentication" and "Smart-Card Login" attributes are checked within the Certificates snap-in).
We have another server on another network where the client certificate authentication works well - it shows the certs from the CAC and does not display the certificate described above. I've tried comparing everything I can think of in Windows Server 2008 R2 on these two servers, side-by-side, to see if I could find something that may be different, but they both appear to be default installations of Windows Server 2008 R2.
The following code is used to read the client certificate:
if (Request.ClientCertificate.IsPresent)
{
HttpClientCertificate Cert = HttpContext.Current.Request.ClientCertificate;
//use cert info to check db and create session
}
This file resides within a directory where IIS > SSL Settings > "Require SSL" and "Require Client Certificates" are checked.
I don't know if this is a server configuration issue or a coding issue, but I've been working on this for months and cannot find an answer as to why the app can't get the CAC certs only when its hosted on some servers.
Issue #2
If I access the application on a server where the CAC is read correctly, it pulls copies of all of the certs from all of the CACs used to access the application on that machine, rather than only the certs from the CAC physically in the card reader.
AKO [https://akologin.us.army.mil/] at least filters out the email certs; however, that site is not hosted on a Windows box.
Conclusion
It seems to me that there has to be a better, more in-depth mechanism to access and filter client certificates from the smart card reader, other than the Request.ClientCertificate collection and two checkboxes in IIS.