IIS using PKI (CAC Card Readers)

I have a windows 2008 R2 Server that has IIS 7.5 installed.
This server is in Domain X Forest X

I have requested a CRL Cert and applied the Cert to the Server.
I configured bindings to the server https: port ip

Tested - all works

Now there are users in domain A Forest A
These users have a CAC/PKI card with client certificates

I need to set IIS to request/require Cert (CAC Card) from client
and SSO logon to IIS / APP

I configure the Site to require SSL
Client Certificates = accept

But I keep getting logon box and it wont accept logon or CAC

The site was set to these providers
negotiate
NTLM

Anyonmous = disabled
Windows = Enabled

There is not a trust relationship between the domains, but CAC is all certificates and certificates are validated by OCSP. so if expired or revoked it should deny access.
LVL 5
IndyrbAsked:
Who is Participating?
 
btanExec ConsultantCommented:
it need to as mentioned in the link to have IIS Client Certificate Mapping Authentication installed.
0
 
btanExec ConsultantCommented:
You may want to see the client mapping to the certificate per se of the CAC, I presume when card is inserted, the cert will be in the personal store where the mapping can be used as configured for the client cert authentication (instead of the username/password which is fallback to NTLM when the cert auth cannot find the client cert). In fact, as shared, with window prompt for username and password it means that Kerberos SSO is not configured correctly.
http://blogs.msdn.com/b/asiatech/archive/2014/02/13/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7.aspx

Not so sure if the smartcard PIN can be prompted though...but there is still need for the smartcard driver and cryptoAPI supporting smartcard to be installed in the client machine (which I assumed you already have based on your sharing of test)
0
 
IndyrbAuthor Commented:
On the IIS server /Roles and Role Services for IIS

I see Client Certificate Mapping Authentication
and IIS Client Certificate Mapping Authentication

Should either of these be installed.  currently they report uninstalled
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.