Smartcard Authentication non AD accountsRSS

4 replies

Last post Jun 06, 2019 02:10 AM by Able

  • Smartcard Authentication non AD accounts

    Jun 03, 2019 09:13 PM|jessay|LINK

    I am kind of scratching my head over the last week.

    Objective:  Configure IIS to authenticate with Smart card only and not have it rely on Active Directory/Username and Password

    How I configured IIS so far

    Server Certificate selected under Bindings

    IIS Client Certificate Mapping Authentication Role installed

    SSL Settings - Enabled

    Certificate Required

    Authentication - All set to disable

    SSL Bind shows CTLSTORENAME set to ClientAuthIssuer

    Under Certificate store I imported all my root and intermediate certificates from trusted root to Client Authenticated Issuer

    My understanding would be that once a client authenticated via their pin it should check against the store confirm root/intermediate CA is there and then authenticate.  I am getting 401.2 consistently and feel like I am missing something rather simple at this point.

  • Re: Smartcard Authentication non AD accounts

    Jun 04, 2019 03:08 AM|Able|LINK

    Hi jessay,

    According to your description, If you are using smart cards in your organization to provide additional security and control over user credentials, users can  use those smart cards with authentication credentials to obtain rights account certificates (RACs) and use licenses from servers in the AD RMS cluster.

    You could follow the steps as bleow:

    To add Client Certificate Mapping Authentication role service

    1. Open Server Manager. Click Start , point to Administrative Tools , and then click Server Manager .

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .

    3. Expand Roles , and then click Web Server (IIS) .

    4. In the results pane under Role Services , click Add Role Services .

    5. Select the Client Certificate Mapping Authentication check box, and then click Next .

    6. Click Install .

    7. When the role service is added, click Close .

    Next, configure the authentication method in IIS:

    To configure the authentication method in IIS

    1. Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .

    3. In the console tree, expand the server name.

    4. In the results pane of the server Home page, double-click Authentication to open the Authentication page.

    5. In the results pane of the Authentication page, right-click AD Client Certificate Authentication , and then click Enable .

    6. Close IIS Manager.

    Finally, enable client authentication for the Web site that is hosting AD RMS:

    To enable client authentication on a Web site hosting AD RMS

    1. Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .

    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .

    3. In the console tree, expand the server name.

    4. Expand Sites , and then expand the Web site that is hosting AD RMS. By default, the Web site name is Default Web site .

    5. In the console tree, expand _wmcs , right-click either the certification virtual directory (to support RACs or the licensingvirtual directory (to support use licenses), and then click Switch to Content View .

    6. In the results pane of the ContentView , right-click certification.asmx or license.asmx as appropriate, and then choose Switch to Features View .

    7. In the results pane on the Home page, double-click SSL Settings .

    8. Choose the appropriate Client certificates setting ( Accept or Require ). You should accept client certificates if you want clients to have the option to supply authentication credentials by using either a smart card certificate or a user name and password. You should require client certificates if you want only clients with client-side certificates such as smart cards to be able to connect to the service.

    9. Click Apply .

    10. If you want to use client authentication for both certification and licensing, repeat this procedure but select the alternate virtual directory the second time.

    11. Close IIS Manager.

    12. Repeat steps 1–10 for every server in the AD RMS cluster.

    Next, you need to force the authentication method to use Client Certificate Mapping Authentication for the AD RMS cluster.

    To force the client authentication method in the applicationhost.config file

    1. To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .

    2. Navigate to %windir%\system32\inetsrv\config.

    3. Type notepad applicationhost.config , and then press ENTER.

    4. Go to the section similar to <location path="Default Web Site/_wmcs/certification/certification.asmx"> section of the applicationhost.config file.

    Here is the link I hope it could help you.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732116(v=ws.11)

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Smartcard Authentication non AD accounts

    Jun 04, 2019 01:02 PM|jessay|LINK

    I was looking at this yesterday but it was looking like it was targeted more for domain/Active Directory. 

    My end game goal is to only rely on authenticating against my root certs currently existing in my client authenticated issuer store. Was I misunderstanding what AD RMS would provide? 

  • Re: Smartcard Authentication non AD accounts

    Jun 04, 2019 08:36 PM|jessay|LINK

    I need to be able to configure IIS to operate as stand-alone intranet only access

    Right now I still receive a 401.2 after the browser prompts certificate, you input PIN and boom 401.2 even though the trusted and client Auth Issuer stores have the root CA from that client certificate.  I am thinking that due to its limited access it is attempting to do a CRL validation which I do not want to have happen.  Is there a way to configure IIS to say once you confirm CA in trusted/client auth issuer certificate store on server that is only validation needed?

  • Re: Smartcard Authentication non AD accounts

    Jun 06, 2019 02:10 AM|Able|LINK

    Hi jessay

    According to your description, I couldn't understand your requirement clearly. IIS actually only knows certificate-based authentication, not the smart card itself (this is really just a certificate-based authentication). Configure your site to use certificate-based authentication, such as "requires client certificate", IIS will link the call to Windows security, and Windows security recognizes that the source of the identity certificate is a smart card reader.

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.