Indyrb
asked on
IIS using PKI (CAC Card Readers)
I have a windows 2008 R2 Server that has IIS 7.5 installed.
This server is in Domain X Forest X
I have requested a CRL Cert and applied the Cert to the Server.
I configured bindings to the server https: port ip
Tested - all works
Now there are users in domain A Forest A
These users have a CAC/PKI card with client certificates
I need to set IIS to request/require Cert (CAC Card) from client
and SSO logon to IIS / APP
I configure the Site to require SSL
Client Certificates = accept
But I keep getting logon box and it wont accept logon or CAC
The site was set to these providers
negotiate
NTLM
Anyonmous = disabled
Windows = Enabled
There is not a trust relationship between the domains, but CAC is all certificates and certificates are validated by OCSP. so if expired or revoked it should deny access.
This server is in Domain X Forest X
I have requested a CRL Cert and applied the Cert to the Server.
I configured bindings to the server https: port ip
Tested - all works
Now there are users in domain A Forest A
These users have a CAC/PKI card with client certificates
I need to set IIS to request/require Cert (CAC Card) from client
and SSO logon to IIS / APP
I configure the Site to require SSL
Client Certificates = accept
But I keep getting logon box and it wont accept logon or CAC
The site was set to these providers
negotiate
NTLM
Anyonmous = disabled
Windows = Enabled
There is not a trust relationship between the domains, but CAC is all certificates and certificates are validated by OCSP. so if expired or revoked it should deny access.
ASKER
On the IIS server /Roles and Role Services for IIS
I see Client Certificate Mapping Authentication
and IIS Client Certificate Mapping Authentication
Should either of these be installed. currently they report uninstalled
I see Client Certificate Mapping Authentication
and IIS Client Certificate Mapping Authentication
Should either of these be installed. currently they report uninstalled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://blogs.msdn.com/b/asiatech/archive/2014/02/13/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7.aspx
Not so sure if the smartcard PIN can be prompted though...but there is still need for the smartcard driver and cryptoAPI supporting smartcard to be installed in the client machine (which I assumed you already have based on your sharing of test)