IIS 7 and Above
Smartcard Authentication non AD accounts
Last post Jun 06, 2019 02:10 AM by Able
Jun 03, 2019 09:13 PM|jessay|LINK
I am kind of scratching my head over the last week.
Objective: Configure IIS to authenticate with Smart card only and not have it rely on Active Directory/Username and Password
How I configured IIS so far
Server Certificate selected under Bindings
IIS Client Certificate Mapping Authentication Role installed
SSL Settings - Enabled
Authentication - All set to disable
SSL Bind shows CTLSTORENAME set to ClientAuthIssuer
Under Certificate store I imported all my root and intermediate certificates from trusted root to Client Authenticated Issuer
My understanding would be that once a client authenticated via their pin it should check against the store confirm root/intermediate CA is there and then authenticate. I am getting 401.2 consistently and feel like I am missing something rather simple at
Jun 04, 2019 03:08 AM|Able|LINK
According to your description, If you are using smart cards in your organization to provide additional security and control over user credentials, users can use those smart cards with authentication credentials to obtain rights account certificates (RACs)
and use licenses from servers in the AD RMS cluster.
You could follow the steps as bleow:
Open Server Manager. Click Start , point to Administrative Tools , and then click Server Manager .
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .
Expand Roles , and then click Web Server (IIS) .
In the results pane under Role Services , click Add Role Services .
Select the Client Certificate Mapping Authentication check box, and then click Next .
Click Install .
When the role service is added, click Close .
Next, configure the authentication method in IIS:
Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .
In the console tree, expand the server name.
In the results pane of the server Home page, double-click Authentication to open the Authentication page.
In the results pane of the Authentication page, right-click AD Client Certificate Authentication , and then click Enable .
Close IIS Manager.
Finally, enable client authentication for the Web site that is hosting AD RMS:
Expand Sites , and then expand the Web site that is hosting AD RMS. By default, the Web site name is Default Web site .
In the console tree, expand _wmcs , right-click either the certification virtual directory (to support RACs or the licensingvirtual directory
(to support use licenses), and then click Switch to Content View .
In the results pane of the ContentView , right-click certification.asmx or license.asmx as appropriate, and then choose Switch
to Features View .
In the results pane on the Home page, double-click SSL Settings .
Choose the appropriate Client certificates setting ( Accept or Require ). You should accept client certificates if you want clients
to have the option to supply authentication credentials by using either a smart card certificate or a user name and password. You should require client certificates if you want only clients with client-side certificates such as smart cards to be able to connect
to the service.
Click Apply .
If you want to use client authentication for both certification and licensing, repeat this procedure but select the alternate virtual directory the second time.
Repeat steps 1–10 for every server in the AD RMS cluster.
Next, you need to force the authentication method to use Client Certificate Mapping Authentication for the AD RMS cluster.
To open an elevated Command Prompt window, click Start , point to All Programs , click Accessories , right-click Command
Prompt , and then click Run as administrator .
Navigate to %windir%\system32\inetsrv\config.
Type notepad applicationhost.config , and then press ENTER.
Here is the link I hope it could help you.
Jun 04, 2019 01:02 PM|jessay|LINK
I was looking at this yesterday but it was looking like it was targeted more for domain/Active Directory.
My end game goal is to only rely on authenticating against my root certs currently existing in my client authenticated issuer store. Was I misunderstanding what AD RMS would provide?
Jun 04, 2019 08:36 PM|jessay|LINK
I need to be able to configure IIS to operate as stand-alone intranet only access
Right now I still receive a 401.2 after the browser prompts certificate, you input PIN and boom 401.2 even though the trusted and client Auth Issuer stores have the root CA from that client certificate. I am thinking that due to its limited access it is
attempting to do a CRL validation which I do not want to have happen. Is there a way to configure IIS to say once you confirm CA in trusted/client auth issuer certificate store on server that is only validation needed?
Jun 06, 2019 02:10 AM|Able|LINK
According to your description, I couldn't understand your requirement clearly. IIS actually only knows certificate-based authentication, not the smart card itself (this is really just a certificate-based authentication). Configure your site to use certificate-based
authentication, such as "requires client certificate", IIS will link the call to Windows security, and Windows security recognizes that the source of the identity certificate is a smart card reader.