CAC cards and web servers

Question

I have a client that wants to implement CAC with our website. Usually the user already has access based on the certificates assigned to them.

They want to be validated by entering their CAC pin code when they click a button to log in.

I'm using ActivClient to manage the CAC but I don't know how to have the website communicate with the card reader to have the user input the pin code and validate it.

Is this done through IIS settings or do I have to update my code to somehow communicate with the middleware?

Thanks in advance

Answer 1

The solution we used involved a few configuration changes to IIS as well as some code changes to use the information provided by the CAC.

In IIS (8.0), we just set the Authentication to Anonymous Authentication. In SSL Settings, we checked Require SSL and under Client Certificates, select the Require option.

After you've authenticated, depending on what information you need access to from the certificate, you can access it using this method:

X509Certificate2 certificate = new X509Certificate2(Request.ClientCertificate.Certificate);

This will give you the certificate object that contains the information that the CAC carries. You can access some of these properties by using

certificate.GetNameInfo(X509NameType.SimpleName);  //X509NameType.EmailName, etc

Answer 2

I recently dealt with this with the DoD. There is no code involved, all you have to do is set the the IIS site to use Integrated Security (or possibly certificate authentication based on your AD configuration) and turn off the other authentication mechanisms. The browser will then prompt the user for credentials using the method configured in Active Directory, which should show the CAC certificate selection and PIN window if they are using AD correctly. Note that you must also be using HTTPS or the browser will not pass the CAC credentials to the server for security reasons.