Geek Answers Handbook

DoD CAC Auditing - Issuing a Client Certificate Using .NET C #, Windows Server 2008 R2, IIS 7.5

We developed a .NET C # web application for DoD that uses CAC (Common Access Card) as the only authentication method. We have reliable SSL on the servers, the application works in several places, and everything works as it should - for the most part.

Problem number 1

The main problem is that on some of our internal development servers, when you click on "login" with a valid CAC in the card reader, only one certificate is displayed, not the CAC. It is used to authenticate my work laptop using a network (the attributes "Client Authentication" and "Login for a smart card" are checked in the "Certificates" snap-in).

We have another server on another network where client certificate authentication works well - it shows certificates from the CAC and does not display the certificate described above. I tried to compare everything that I can imagine in Windows Server 2008 R2 on these two servers, side by side, to find out if I can find something that could be different, but both of them are the default settings of Windows Server 2008 by default is R2.

The following code is used to read the client certificate:

if (Request.ClientCertificate.IsPresent) { HttpClientCertificate Cert = HttpContext.Current.Request.ClientCertificate; //use cert info to check db and create session }

This file is located in the directory where IIS> SSL> "Require SSL" and "Require Client Certificates" are checked.

I do not know if this is a server configuration problem or a coding problem, but I have been working on this for several months and cannot find an answer about why the application cannot receive CAC certificates only when it is hosted on some servers.

Problem number 2

If I access the application on the server where the CAC is read correctly, it extracts copies of all certificates from all CACs used to access the application on this computer, and not just from the certificates from the CAC physically to the card reader.

AKO [https://akologin.us.army.mil/] at least filters out email certificates; however, this site is not hosted in a Windows window.

Conclusion

It seems to me that there should be a better, more detailed mechanism for accessing and filtering client certificates from a smart card reader, except for the Request.ClientCertificate collection, and two flags in IIS.

+4
source share
2 answers

I had the exact same problem. Look for SChannel warnings in system event logs.

"When requesting client authentication, this server sends the client a list of trusted certificate authorities. The client uses this list to select the client certificate that the server trusts. Currently, this server trusts so many certificate authorities that the list is too long, so this list has been truncated. The administrator of this machine must verify the credentials of the certificates trusted to authenticate the client and remove those that really do not need to be trusted. "

The trusted root certification authorities> certificates had about a hundred certificates. They removed all unnecessary certificates and made IISreset as an administrator, and all sites started working again.

+5
source

Joe,

For problem # 1, here's something to try: Check the trusted root certificate certificates on the production server on your idle server. It looks like you might have one or more missing or inconsistent server certificates. If you have outdated, inappropriate, or missing certificates, you can download them from DISA. A down server cannot reset the latest certificate updates. We once had a case when there were too many certificates in the store. In this case, we simply deleted the old and / or unnecessary certificates. Just make sure that you export any certificates that you plan to delete before deleting them ... just in case you find out later that you will need them (this will be a "conversation")!

I hope this is helpful, not just what you have already tried. Good luck

+2
source

More articles:


All Articles