DoD CAC Authentication - Client Certificate Issue with .NET C#, Windows Server 2008 R2, IIS 7.5

Question

We have developed a .NET C# web application for DoD that uses CAC (Common Access Card) as the sole method of authentication. We have a trusted SSLs on the servers, the application is running in several locations, and everything is working as it should - for the most part.

Issue #1

The primary issue is that on some of our internal development servers, when you hit 'log-in' with a valid CAC in the card reader, only one certificate displays and its not from the CAC. Its used to authenticate my work laptop with the network (the "Client Authentication" and "Smart-Card Login" attributes are checked within the Certificates snap-in).

We have another server on another network where the client certificate authentication works well - it shows the certs from the CAC and does not display the certificate described above. I've tried comparing everything I can think of in Windows Server 2008 R2 on these two servers, side-by-side, to see if I could find something that may be different, but they both appear to be default installations of Windows Server 2008 R2.

The following code is used to read the client certificate:

if (Request.ClientCertificate.IsPresent)
{
    HttpClientCertificate Cert = HttpContext.Current.Request.ClientCertificate;
    //use cert info to check db and create session
}

This file resides within a directory where IIS > SSL Settings > "Require SSL" and "Require Client Certificates" are checked.

I don't know if this is a server configuration issue or a coding issue, but I've been working on this for months and cannot find an answer as to why the app can't get the CAC certs only when its hosted on some servers.

Issue #2

If I access the application on a server where the CAC is read correctly, it pulls copies of all of the certs from all of the CACs used to access the application on that machine, rather than only the certs from the CAC physically in the card reader.

AKO [https://akologin.us.army.mil/] at least filters out the email certs; however, that site is not hosted on a Windows box.

Conclusion

It seems to me that there has to be a better, more in-depth mechanism to access and filter client certificates from the smart card reader, other than the Request.ClientCertificate collection and two checkboxes in IIS.

Answer 1

I had the same exact issue. Look for SChannel warnings in the system event logs.

"When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted."

There were about a hundred certs in the trusted root certification authorities > certificates. Removed all unneeded certs and did an IISreset as admin and all sites started working again.

Answer 2

Joe,

For issue #1, here's something to try: Check the Trusted Root Cert Authorities certificates in your working server against your non-working server. It sounds like you may have one or more missing or mismatched server certificates. If you have out-dated, mismatched, or missing certificates, you can download them from DISA. The non-working server may not be pulling down the latest cert updates. We once had a case where there were just too many certificates in the store. In that case, we simply deleted old and/or unneeded certificates. Just make sure you EXPORT any certificates you plan to remove BEFORE deleting them...just in case you find out later that you need them after all (that would be 'experience' talking)!

I hope this is helpful and not just something that you've already tried. Good luck!