CAC (SmartCard) Enabling ASP.Net on IIS

  • The only configuration settings required are (IIS7 screenshots below):
    • Require SSL (this represents server side)
    • and either Accept or Require Client Certificates … “Accept” will populate the SmartCard’s cert info to your ASP.Net Request object (if it’s provided) but won’t deny access if one hasn’t been provided, “Require” will deny access unless a valid SmartCard Cert has been provided.

Tips:

  • One key thing to be aware of how this works is that the server will send a list of Trusted Root Certificates down to the client/browser and then the browser will compare that list to the Trusted Roots represented by the CAC present and only if there’s a match will it prompt for the Certificate and PIN input.  Therefore, both the Server and the client must have the same Trusted Root Certs installed for this to work, the easiest way to do this for the DoD CAC’s is to grab the latest install_root.exe and fire that up.
  • Another key thing I discovered was that after you get the certs installed, go ahead and do a reboot, I was still getting 403 access denied errors that simply disappeared after I rebooted.
  • Throw these lines in a ASP.Net wizard generated project’s Default.aspx to see the basic Cert info… the .Subject property is the juiciest looking info, there may be other properties of value.
    • <%=Page.Request.ClientCertificate.IsPresent%>
    • <%=Page.Request.ClientCertificate.Subject%>
  • It’s probably also helpful to go ahead and make sure your server side SSL cert is properly named & not expired, such that you don’t get any warnings when you browse to the page… I was getting some errors related to that when I was working with the Client Cert’s required.
    • this reference was helpful, see the section titled “Generate a Self Signed Certificate with the Correct Common Name”
    • this is the basic command you need to generate your own SSL cert for testing: SelfSSL /N:CN=www.whatever.com /V:9999
    • find SelfSSL in the IIS6 Reskit

image image

  • Tim

    Hi BeeJ,
    Does the IIS server need to be domain joined, or have any other certs issued to it besides what's listed above?

    I keep getting access denied when browsing to my page, trying to make sense of it.

    Thanks,
    Tim

  • Hey Tim, the cert stuff absolutely works fine outside of domain context. I was testing this in workgroup mode at home. The way I understand, it is typical to map the cert to a domain account and then base further authorization off of domain group membership and such… but this is not a requirement of the basic cert authentication facility.

    Couple things to confirm… 1) you rebooted already right? and 2) does it work at all with Accept vs Require Client certificates? 3) do you have a properly named, non-expired SSL cert in place? This can be done via a self generated SSL cert but you have to take care to get those pieces set properly… especially if you're set on Require vs Accept.

    I have a feeling you've already confirmed all this so I'm not very helpful. Access denied is always frustrating… it can come from so many different core issues… back up and simplify until you have a default page working w/o issue, then turn on more locked down settings one by one to flush out the culprit and narrow your troubleshooting scope.