IIS using PKI (CAC Card Readers)

I have a windows 2008 R2 Server that has IIS 7.5 installed.
This server is in Domain X Forest X

I have requested a CRL Cert and applied the Cert to the Server.
I configured bindings to the server https: port ip

Tested - all works

Now there are users in domain A Forest A
These users have a CAC/PKI card with client certificates

I need to set IIS to request/require Cert (CAC Card) from client
and SSO logon to IIS / APP

I configure the Site to require SSL
Client Certificates = accept

But I keep getting logon box and it wont accept logon or CAC

The site was set to these providers
negotiate
NTLM

Anyonmous = disabled
Windows = Enabled

There is not a trust relationship between the domains, but CAC is all certificates and certificates are validated by OCSP. so if expired or revoked it should deny access.
LVL 5
IndyrbAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You may want to see the client mapping to the certificate per se of the CAC, I presume when card is inserted, the cert will be in the personal store where the mapping can be used as configured for the client cert authentication (instead of the username/password which is fallback to NTLM when the cert auth cannot find the client cert). In fact, as shared, with window prompt for username and password it means that Kerberos SSO is not configured correctly.
http://blogs.msdn.com/b/asiatech/archive/2014/02/13/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7.aspx

Not so sure if the smartcard PIN can be prompted though...but there is still need for the smartcard driver and cryptoAPI supporting smartcard to be installed in the client machine (which I assumed you already have based on your sharing of test)
0
IndyrbAuthor Commented:
On the IIS server /Roles and Role Services for IIS

I see Client Certificate Mapping Authentication
and IIS Client Certificate Mapping Authentication

Should either of these be installed.  currently they report uninstalled
0
btanExec ConsultantCommented:
it need to as mentioned in the link to have IIS Client Certificate Mapping Authentication installed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.