 |  |  |  |  |  |  |  |
CAC/Smartcard user info not authorized on SSL site, must use domain usr/pwd instead
Please support our ASP.NET advertiser: Intel Parallel Studio Home
 |
•
•
Join Date: Sep 2009
Posts: 1
Reputation: 
Solved Threads: 0
Newbie Poster
CAC/Smartcard user info not authorized on SSL site, must use domain usr/pwd instead
0
#1 Sep 9th, 2009
It's long, but trying to give as much informtion as possible at one time.
Having an issue with random individuals trying to access an intranet site with a security certificate. Most users are able to simply select their Smartcard/CAC certificate, enter the pin number and then are granted access to the site's pages.
However, random individuals enter their pin and then are immediately re-prompted by the IE alert dialogue to enter their domain username and password. If they don't enter their network domain username and MS password, then they receive a 401.1 Unauthorized.
I am confused as to why these certain users (who are selecting the same certificates as the successful ones) are being prompted for their domain name/pwd. Furthermore, they're able to access other sites which require a CAC to get past the security certificate.
Possible that a user token is unable to be established via a CAC for the particular site, but not sure why. Since these users are getting a 401.1, then somehow their identity associated with their CAC credentials is not validating.
In IIS: Anonymous users are not allowed (unchecked). 128-bit encryption is required with SSL. Integrated Windows Authentication is checked. Accepting client certificates In the site's web.config file all users are allowed and only anonymous are denied.
Developed in asp.net 3.5
We have tried to reproduce the problem in testing and development environments, but have fortunately/unfortunately been unable to duplicate this issue. This furthermore eludes to an issue that might be isolated to the production server, users access to it, and/or the certificate that is applied to that SSL website on that server.
The exact same setup is present on the development box without any issues at all, indicating to me that the problem resides on the production server's ability to properly receive/handle CAC information from those individuals or that something funky is going on with the way the security certificate is relating to the client's CAC x.509 certificate.
A little more information that may be of use: the browser prompt that initially asks for the CAC has nothing to do with the code of the site, but rather is enabled by applying the security certificate to a site in IIS; thus indicating to me that there is something written into the certificate that looks for client certificates tied to the ActivClient agent via the browser???
The violating users' cards work on all other applications and even on SSL sites on other servers that bring up a CAC prompt. I believe we have confirmed that the certificates associated with their cards and their IE browsers are valid through 2015 (or longer in some cases), and are the same in nature (x509 certificate from the card)... and issuer is being consistently selected as DOD Email CA-15 (though the regular DOD CA-15 works as well). Again, maybe something with the fact that it's isolated to one production server, something with the SSL cert. on that url or user access??
Then again, I probably have no idea what i'm talking about, just throwing a bone here to see if anyone has had the same issue or has any ideas.
Thanks in advance for any input, questions, or ideas.
Having an issue with random individuals trying to access an intranet site with a security certificate. Most users are able to simply select their Smartcard/CAC certificate, enter the pin number and then are granted access to the site's pages.
However, random individuals enter their pin and then are immediately re-prompted by the IE alert dialogue to enter their domain username and password. If they don't enter their network domain username and MS password, then they receive a 401.1 Unauthorized.
I am confused as to why these certain users (who are selecting the same certificates as the successful ones) are being prompted for their domain name/pwd. Furthermore, they're able to access other sites which require a CAC to get past the security certificate.
Possible that a user token is unable to be established via a CAC for the particular site, but not sure why. Since these users are getting a 401.1, then somehow their identity associated with their CAC credentials is not validating.
In IIS: Anonymous users are not allowed (unchecked). 128-bit encryption is required with SSL. Integrated Windows Authentication is checked. Accepting client certificates In the site's web.config file all users are allowed and only anonymous are denied.
Developed in asp.net 3.5
We have tried to reproduce the problem in testing and development environments, but have fortunately/unfortunately been unable to duplicate this issue. This furthermore eludes to an issue that might be isolated to the production server, users access to it, and/or the certificate that is applied to that SSL website on that server.
The exact same setup is present on the development box without any issues at all, indicating to me that the problem resides on the production server's ability to properly receive/handle CAC information from those individuals or that something funky is going on with the way the security certificate is relating to the client's CAC x.509 certificate.
A little more information that may be of use: the browser prompt that initially asks for the CAC has nothing to do with the code of the site, but rather is enabled by applying the security certificate to a site in IIS; thus indicating to me that there is something written into the certificate that looks for client certificates tied to the ActivClient agent via the browser???
The violating users' cards work on all other applications and even on SSL sites on other servers that bring up a CAC prompt. I believe we have confirmed that the certificates associated with their cards and their IE browsers are valid through 2015 (or longer in some cases), and are the same in nature (x509 certificate from the card)... and issuer is being consistently selected as DOD Email CA-15 (though the regular DOD CA-15 works as well). Again, maybe something with the fact that it's isolated to one production server, something with the SSL cert. on that url or user access??
Then again, I probably have no idea what i'm talking about, just throwing a bone here to see if anyone has had the same issue or has any ideas.
Thanks in advance for any input, questions, or ideas.
|
Similar Threads
- How can I find my ftp? (HTML and CSS)
- getting user info (PHP)
- splitting a ftp connection string to it's parts (Shell Scripting)
- Domain at £4.99 per year + Free 50MB web space (Web Hosting Deals)
- Computer keeps restarting! (Viruses, Spyware and other Nasties)
- Your Help with My Domain Name (Promotion and Marketing Plans)
- another newbie with alot of redhat and apache server Q'S (Linux Servers and Apache)
- Joining Workgroup to a Domain? (Windows NT / 2000 / XP)
- Advertise on U.S. Army Game Site! (Ad Space for Sale)
Other Threads in the ASP.NET Forum
- Previous Thread: C# & Aspx - Entities & Listbox
- Next Thread: Many ModalPopUpExtendr on the Same Page
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest ASP.NET Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
