IIS 7 and Above
Implementing dual authentication: PKI and username/password
Last post Oct 09, 2017 08:23 AM by Yuk Ding
Oct 03, 2017 02:50 PM|jimmyo94|LINK
I run a webserver that authenticates users with a username and password. I want to enable PKI authentication on my webserver while still allowing users to login with a username/password combination (the latter will have limited access to website). I will
be using a third-party PKI. My users are already in possession of certificates that have been issued by the external CA. Finally, my website implements SSL.
What I want:
An anonymous user arrives at the login page and selects his login method (either a certificate or username/password combination). Upon selecting the option for certificate login, the user will be redirected to a page that requires a valid client certificate.
The user presents a valid certificate, is authenticated, and authorized to view the website.
Alternatively, the user selects the option for username/password login. The user is authenticated and is authorized with limited roles.
Here is my problem:
Users exist in Active Directory and are authenticated with a username/password. I need to retain username/password authentication while also allowing a user to authenticate with a certificate mapped to his account. In addition, an existing user will need
to assign a certificate to his account. In other words, self service certificate mapping (potentially through an LDAP request)
Where I am in development:
I can request a user's client certificate, validate it through IIS, and then grab on to the certs variables (issuer, subject, serial number, etc...). Normally, a user presents a username/password, I query AD with an LDAP request, authenticate the user, then
authorize roles based on the user's permissions contained in the SQL database. Can I configure AD to authenticate a user with cert variables instead of a username/password combination?
Oct 04, 2017 08:19 AM|Yuk Ding|LINK
Could you specific what do you want to do in IIS beacuse it looks much more than IIS configuration stuff.To use client certificate in asp.net application, you could check this link:
If you don't have more doubt, you could consult the related forum.
Oct 05, 2017 01:46 PM|jimmyo94|LINK
Thanks for the response. I'm developing in ColdFusion. I want IIS to request a client certificate and then pass the certificate attributes to ColdFusion.
The user authentication and authorization process happens in my ColdFusion code. I query AD with an LDAP request to verify the user submitted username/password combination.
What I would like is to authenticate a user in AD using either his certificate attributes or his username/password combination. I'm relying on IIS to validate the certificate and pass it to ColdFusion. In this way, I know that the certificate attributes
I'm using in my ColdFusion code are from a valid certificate.
I hope this clarifies what I'm trying to accomplish.
Oct 09, 2017 08:23 AM|Yuk Ding|LINK
You could try to build arr with client certificate: