Last post Oct 21, 2011 09:44 AM by dr43058
Dec 04, 2008 09:02 AM|bfancett|LINK
I have worked on two web development projects for the DoD, and they use CAC cards for authentication. I have gotten as far as being able to pull information off of the CAC card, store it in a UserAuth table (SQL Server 2005 Std), however the problem is
that my web.sitemap is using roles authentication to determine if the user has rights to see certain areas of the web application. When I allow the user access to the application based on thier valid CAC information, and then bypass the member login form,
I loose my sitemap.
How can I allow CAC card authentication and still use the ASP.Net Membership provider to provide roles authentication for my web application?
This is a huge deal, so any suggestion would be great.
Membership Role Provider authentication parameters
custom membership provider
membership authentication redirect
Security membership Smart Client roles
"isa server" "forms authentication" cookie problem
Membership Role Profile Provider
Cross Application Authentication and Session
membershipprovider membershipuser custom
multiple membership providers forms authentication
asp.neTt 2.0 memembership
ASP.NET Authorization role profile provider
membership security roles profile
asp.net 2.0 memembership
Form Authentication problem
security without membership provider
custom membership and personalization
form based authentication
client forms application
client certificates web service
ASP .NET 2.0 Membership
membershiprship validation ignore case validateuser method asp.net c#
asp.net membership provider
.net 3.5 security
.ASPX [Edit Tags]
ASP.NEt membership provider
membership login control
Membership provider profile provider
form security authentication
custom membership multiple
ASP.net 2.0 Security
Dec 04, 2008 09:21 AM|Jones0878|LINK
I too worked for DoD for the longest time developing applications. I would need to know a little more about your environment.
1. Is this an intranet site or available to the outside world.
2. Is the basis of your login form using AD authentication....example: Maybe bouncing off the LDAP servers for AKO like my application did...
I believe that all you really need to do is to write yourself a simple custom roles and membership provider for your application. It seems that your current system you have set up may be bypssing the login form but is not actively engaging in the authentication
process. You can tie into the membership provider and basically do an 'automatic' login for the user if their CAC authentication passes the sniff test.
Hope this helps you out man. DoD's regs can be a pain in the rear[:D]
Dec 04, 2008 09:42 AM|bfancett|LINK
I am developing in ASP.NET 3.5 and C# using a SQL Server 2005 Developer Edition database. I am not bouncing off LDAP, AD or anything. Membership accounts are created from within the site using the built in Create User Wizard.
You seem to have a good grasp on what I am doing, and the pain that I am going through with CoN, DIACAP, etc., and the "automatic" login if the CAC passes the test sounds good, but how can I accomplish this.
The current authentication is basic ASP Membership out of the box configuration. Create User Wizard, Forgot Password Wizard, and Change Password Wizard. I have added some wizard steps to the create user wizard for assigning roles and adding personal information
to my own table (not a table provided by the membership). I just can't figure out how to authenticate the user to the membership provider based on a valid CAC only, without having the user login with UserName and PWD at the form. I am using forms authentication.
Dec 04, 2008 09:12 PM|Jones0878|LINK
OKay so what I would do if I were you to keep things simple is this. You obviously have the automatic login piece actually already done since you stated that if they are CAC authenticated then they get ot the page but you lose your sitemap. So you know that
parts works. Now what you need to do is to do the following in you code following the success of the CAC authentication call.....
1. CAC authentication returns success.
2. Then you need to make a call to get the username for the user from your custom tables.
3. Then just call FormsAuthentication.RedirectFromLoginPage(username, boolean) <---the boolean value tells it if you want the cookie to be persistant or not...obviously CAC would be a NO..LOL
You should be golden now! The reason that your CAC user gets in with no roles is that you need to populate the cookie based upon the username in the security framework. You should be able to pull enough information off the card to be able to match it against
a user. If you are having the users sign up for access...AKA moderated access...in which you then go in and authorize. Then part of the process could be you caching the information that they come into the site with on their CAC card(especially the UID <-unique
identifier) so that you can post that to your security mapping table X_Username = Y_CAC_UID. This should work since you can guarantee that everyone will have a CAC card since all the DOD sites are supposed to be CAC enabled.
Hope this helps you out.
Dec 05, 2008 08:15 AM|bfancett|LINK
I can definately pull enough information off of the CAC (SerialNumber and AKO UserID) and store it in a table which references the ASP.NET user table in order to get the Membership UserName. This is easy.
Basically I do all of this on my default page. IIS is set-up to REQUIRE Client Certificates (SSL), so the user cannot even get to the site if they do not have a valid DoD X.509 certificate on the client. Once ISS passes this, the user is sent to the default.aspx
page, where I get the serial number off the CAC, and check it against my table to get the UserName. If the UserName is found, then this is where I get stuck.
I use my default page twice, once when you first enter the site, user must click the login button. This takes the user to the MemeberLogin.aspx page where the forms authentication is. I check to see if user is authenticated....if(!User.Identity.IsAuthenticated).
User.Identity.IsAuthenticated cannot take any parameters, so I cannot tell the Membership provider that this == true. Once the user has entered UserName and Password, then they are redirected to the Default.aspx page again, where they get a welcome message
and the navigation is loaded.
I need to bypass the MemberLogin.aspx page all together, are you saying that the FormsAuthentication.RedirectFromLoginPage(username, boolean) is how I would do this?
Jan 09, 2009 09:30 AM|BrianFan|LINK
Its bfancett using a new account. I couldn't get my password reset to work. You were correct, the FormsAuthentication.RedirectFromLoginPage(string, bool) works, and the navigation menu loads with the correct role permission and everything. However, when
I click on anything in my navigation, I don't get redirected to the page that I am trying to get to, I just stay at the Default page.
In my web.config My Login page is set at Default.aspx. There is no Login Control on the Default page anymore. The Deafult.aspx page has a login button, where after verifying the CAC, I have the FormsAuthentication.RedirectFromLoginPage(string, bool) method.
Clicking the Login button loads the LoginView control with my username, and the navigation loads just fine too, but I cannot navigate anywhere.
Any idea what the problem is with this?
May 27, 2009 12:13 PM|mia892|LINK
I work for DoD also. I need to implement CAC login too. Is it possible that I can borrow your code accessing the CAC.
May 27, 2009 12:18 PM|BrianFan|LINK
Oct 27, 2009 04:15 PM|sam100|LINK
I am new to this site but I found very interesting discussion. I am working for a DOD project. I am in the early stage of developing a web application which needs CAC login. Before writing something I am trying to figure
out what I need. My dev box has a CAC Reader and I have installed ActivClient software (from AKO site) and certificate. Do I need any software development Kit from ActivClient? appreciate your reply......Sam
Jan 12, 2010 12:36 PM|bobuj|LINK
How can I pull the "email" from a DoD CAC Card?
Jan 12, 2010 12:44 PM|BrianFan|LINK
Once you request the client certificate from IIS you can grab anything that is stored in that certificate.
HttpRequest.ClientCertificate cc = new HttpRequest.ClientCertificate();
string str = cc.Subject.ToString(); ........ should give you everything you are looking for, you'll just have to parse through the string str to get what you want.
Jan 12, 2010 12:55 PM|bobuj|LINK
I'm trying to implement trusted authentication within Business Objects, however, appears the best route is to pull the email from the CAC, and authenticate to BO by using the email address of the users as the user ID to ensure a 1:1 (relative) relationship.
I have the BO side configure, now just need an "enter" button that would pass the cac email, authenticate against BO
whallah - SSO!
this is similar to a query string, yes?
Jan 13, 2010 07:37 AM|BrianFan|LINK
If you are looking to authenticate to your BO using the email address of the user off the CAC certificate, I would highly recommend against it. If somebody gets married or what have you, and they change thier last name, thier email address will change and
your authentication will fail.
A better idea would be to use the 10 digit CAC identifier code. This 10 digit number never changes, even if the user gets a new CAC card. Here is how to get that 10 digit number, as well as the first name, middle initial, and last name of the user.
HttpClientCertificate cs = Request.ClientCertificate;
string subjectArray = cs.Subject.Split(',');
//Holds the entire contents of the subject line.
string entireSubjectLine = cs.Subject.ToString();
//gets the total length of the subject line
int subjectLineLength = entireSubjectLine.Length;
//-10 grabs the start of the 10 digit CAC identifer code for the user.
int startOfCacIdentifierPosition = subjectLineLength - 10;
string cacIdentifier = entireSubjectLine.Substring(startOfCacIdentifierPosition, 10);
string arr = subjectArray.Split(' ');
string user = arr.Split('=');
StringBuilder sb = new StringBuilder();
foreach (string field in user)
string str1 = sb.ToString();
string sArr1 = str1.Split('.');
string lastName = sArr1.ToString();
string firstName = sArr1.ToString();
string MI = sArr1.ToString();
string Id = cacIdentifier; //10 Digit Unique CAC identifier
As you can see, you now have 4 strings (lastName, firstName, MI, and Id). Id is the 10 digit Unique CAC Identifier that you should use for authentication or lookup purposes.
You can place this code in the Page_Load event, a button click event, or whatever you would like. Keep in mind that in order for this to work, IIS has to be configure to accept or require client certificates. If you choose to require client certificates,
the users will have to enter thier CAC PIN prior to being able to see the default web page, and you will have to use SSL.
Hope this helps, and please mark as answer if it does.
Jan 13, 2010 11:09 AM|bobuj|LINK
BRIAN! This is fantastic...
Only thought, the BO User ID's are used to match to against the CAC info for Trusted Authen to work (with the SharedSecret). But if I was to try to implement the CAC ID, I would have to request each of our 3,000 users to supply their CAC ID's, and then
populate BO accordingly.
This is why I was thinking the email route - we have a help desk and they constantly reset peoples passwords. Although emails may change due to the reasons you have stated, I see the manual effort going the email route as much less than populating all
of our users BO User ID's with their CAC ID's.
Unless, of course, I'm missing something!
Jan 13, 2010 11:41 AM|BrianFan|LINK
Yeah, for 3,000 users it would be a pain!
This is what the entire subject line of the cleint certificate looks like, as an example just so you know:
C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=FANCETT.BRIAN.P.1245703429
Here's the main problem with using the email address for authentication, and REALLY consider this. For DoD purposes, there are at least 2 certificates on a users CAC, the ID Certificate, and the Signature Certificate. When I, and all my other users authenticate
to my application, and IIS prompts the Active Client window, which then prompts you to select a certificate, we usually select the ID Certificate, because it's the first one in the list.
The ID Certificate does NOT contain the users email address, only the Signature Certificate contains the emails address! So, if you ever had a user that selected the ID Certificate, they wouldn't be able to authenticate, and even worse, unless you catch
the exception in code your application will crash because the value you are looking for (email) does not exist.
It's for this reason, and this reason alone, that the 10 digit ID is best, because it is present on both certificates, and it's the only thing guarenteed NEVER to change.
Now, the way that I handle getting the ID for all my users, is that they must send me a digitally signed email requesting access to the application. I then grab the 10 digit ID from their digital signature in the email, and add it to my database. Also,
you can look them up from the following website:
Now, this doesn't solve your problem of manually adding the ID for 3,000 users, so maybe what I would do is this. As part of your application, you'll have to have a "Register CAC Information" page, where users will enter their AKO, NKO, etc., email address
into a form, along with thier first, middle initial, and last name. You can then compare this information against the CAC which they just accessed the site with (which is secure becuase if it isn't valid Active Client will tell IIS not to allow access), using
the code I provided, and then perform your database operations, like so:
1.) Look up email address in database, if email is valid then
2.) Compare the First name, MI, and last name entered by the user with the values from the client certificate, if they match, then
3.) Add the 10 digit ID to the database as part of your BO.
A lot of sites, when they had to comply with the new DISA STIG of CAC authentication, had to do the very same thing, by where users had to "Register" thier CAC information on the site.
Let me know your thoughts.
Jan 13, 2010 12:04 PM|bobuj|LINK
Very Impressive and I have to concurr with what you have provided - some manual work on my end, however, will be worth it in the long run.
I ran "response.write("CAC =" & Request.ClientCertificate()) and retrieved the whole "string", not seeing an email was a little bit of a surprise.
You have saved me so much "what the heck am I doing" research and work!!!
Thanks so much
Jan 13, 2010 01:22 PM|BrianFan|LINK
No problem at all. You'd be amazed how many people from within the DoD have found the same posting you found and contacted me. If you provide me with your work email address I will send you a white paper that goes over the entire implementation.
I'm glad that I helped!
Jan 13, 2010 01:37 PM|bobuj|LINK
White paper, that would be great, thanks so much!
Jan 20, 2010 03:16 PM|hmcclain4|LINK
I need more of this!
If anyone has documentation; a book, a white paper, a napkin... whatever!
I have been charged with building a personnel database with a web front-end on our intranet. My requirements are two-fold:
So I need to implement both anonymous access and Windows authentication. Should I separate these into two web applications? Since this is NIPR maybe I could employ the DISA catalog for authentication. Thoughts? I've never accessed that catalog programatically.
I'm relatively new to ASP.NET C# programming coming from a Java background. I have built two relatively simple ASP.NET web applications but cracking the CAC certificate has proven beyond my reach. In the second requirement, I just want to crack it open and
get what I need out of it. I don't want/need to authenticate the user.
Any suggestions would help at this point because this project is dead in the water if I stay at the helm.
Jan 26, 2010 11:40 AM|eccris|LINK
Hi, I would just like to say that I am on of those that found your posting really useful. I have been assigned a project where I need to implement CAC login for a sharepoint website. I am interested in this white paper that goes over the implementation
you provided. My email is firstname.lastname@example.org. Thanks in advance.
Jan 27, 2010 04:37 PM|enzoaeneas|LINK
this posting has been a great help.
I am working on similar software but was wondering if it were possible to pull Other Information from the CAC as well as the X509 certificates
through the web browser. I get the certificate information, but we would also like to be able to access the "personal information" on the card.
ActivClient pulls this information, is it feasible via the browser?
Your white paper woudl quite helpful as well.
May 21, 2010 09:40 AM|Tommy.Smith|LINK
Could You send me the white paper for CAC Card (Tommy.Smith@us.army.mil)
May 26, 2010 07:00 AM|thomastg|LINK
I too would be interested in your code. I am using LDAP but would like use CAC authentication.
May 26, 2010 07:14 PM|rreysner|LINK
Has anyone encountered a situation where a PIN needs to be entered for different file types? I notice on my asp.net app that I need to enter the card pin initially for an ASPX, once again for a call to an ASHX and once more for a call to an ASMX. I'm able
to access the card information in code afterwards and hook into a custom membership and role provider.
Jun 01, 2010 11:54 AM|BrianFan|LINK
Hey everyone, it's bfancett.
Please do not email me at my army email address requesting the whitepaper I wrote from a gmail, yahoo, or other commercial email address....I will not reply. Additionally, anyone who finds this post helpful, I'm glad, but you should refer
to the forge.mil CAC community forum for further corespondance on this topic. If you don't have a CAC you won't be able to access this site, but if you don't have a CAC you probably shouldn't be testing CAC authentication, ya think?
Jun 22, 2010 08:08 AM|BrianFan|LINK
Just want to let everyone know that I now have a working implementation of CAC Authentication for .Net apps (web forms and MVC) for applications that run through a reverse proxy. If anyone tried implementing my earlier solution on an application going through
a reverse proxy and could not get it to work, it's becuase the reverse proxy device strips out the HTTP Header information, and causes you to loose your client certificate data.
I have a new white paper with code for anyone who would like it. Contact me through the usual channels or email.
Mar 03, 2011 01:52 PM|MarkAskins|LINK
Hey Brian, Would like to see that white paper on that CAC Authentication for .Net apps.
Apr 22, 2011 01:39 PM|mmlang|LINK
Jun 23, 2011 11:45 AM|fluidmedia|LINK
hello i too could not locate your white paper at the site you provided if you good send me a link or the white paper i would apreciate it
Oct 21, 2011 09:44 AM|dr43058|LINK
SHOULD my authorization based off cac subject extraction resutling in a 10 digit cac id, be placed in a MasterPage ???