1

I would like to ask about the authentication of a user to Active Directory with the X509 certificate. I saw a similar question: Client Authentication via X509 Certificates in asp.net however the answer says that it requires the login and password. The scenario that I would like to achieve is this:

  1. User clicks on the login button: "Login with smart card";
  2. The system reads the card using some reader or build in reader to the laptop (let's say it wait 5 seconds for the user to use the card)
  3. The system authenticates the user with AD

The smart card contains both the public and the private key.

Can and if yes, how this could be achieved? I would like to understand also how the website (.net core) should communicate with the AD, where should this be placed?

Eru
  • 332
  • 3
  • 17
  • 1
    This should work just out of the box, assuming you have certificates saved with AD accounts (you need the CA) and you configure the site to use windows authentication and also turn on the "require browser certificate" in SSL settings. The browser loads the site, windows authentication kicks in but since the SSL requires a user certificate, the browser opens up the certificate selection window. From there, users pick their certificate that matches certificates stored in the AD. – Wiktor Zychla Dec 15 '20 at 09:32
  • @WiktorZychla you don't need certificates saved in AD accounts. Smart card logon uses only implicit mapping, which uses dynamic UPN binding with AD accounts. – Crypt32 Dec 15 '20 at 09:43
  • @WiktorZychla I have created a Web app from VS (.net core) and I set the authentication to windows. The website has automatically logged the user that was logged in windows. This is not exactly what I wanted :) There was no prompt to provide this certificate – Eru Dec 15 '20 at 10:47
  • @Eru: you didn't set the [client certificate requirement](https://stackoverflow.com/questions/19383538/what-is-the-difference-between-requiring-an-ssl-cert-and-accepting-an-ssl-cert) in SSL settings of the IIS site. – Wiktor Zychla Dec 15 '20 at 12:54
  • @WiktorZychla some how I managed to do it; now the website after launch is providing the list of certificates, after selecting it reads the cert from the card; the issue is the next message from IIS: "401.2 Unauthorized" (the anonymous access is disabled in IIS); if you have any thougs about that - please provde, if not - thank you for the help :) – Eru Dec 15 '20 at 18:10
  • The cert you select is not the one assigned to the user by the CA. – Wiktor Zychla Dec 15 '20 at 20:55
  • that is correct; the certificate that i have is not assigned to the user which is logged into the windows - this is what you meant? – Eru Dec 16 '20 at 08:18
  • Also one question: where should I specify some URL which points to the Active Directory? this is something I did not set anywhere. – Eru Dec 16 '20 at 13:35
  • You don't point to ad, both the server and the domain controller are members of the ad. This is how windows authentication works. – Wiktor Zychla Dec 17 '20 at 11:45
  • So I really don't know how to set it up and what is not working in my solution.... :/ Is there anyway you could help me with this problem? second question: do you know if this authentication would work for a mobile app (xamarin) for iOS? – Eru Dec 21 '20 at 09:00
  • @Eru Are you still looking for help with this issue ? – Nishant Dec 28 '20 at 13:09
  • @Nishant-MSFTIdentity yes I am, can you help me someway ? – Eru Dec 29 '20 at 09:11
  • @Nishant-MSFTIdentity what I want is a .net core web app that logins users based on certificate in smart card - the certs are connected with AD (both, Azure AD and normal AD) – Eru Dec 29 '20 at 09:12

0 Answers0