login to Website using a SmartCard

Discussion in 'ASP .Net Security' started by Guest, Jun 23, 2006.

  1. Guest

    Guest Guest

    Hi,

    anyone has experience of Website login (AD Integrated) using a Smart Card ?
    In actually using the ASP:Login control to login the users usign they AD
    credentials. User also have a smart card that permit them to logon locally
    to Windows XP clients. I'd like to have them login on the extranet without
    having to insert username and password, but just Smart Card and PIN. Is is
    possible ?

    Thanks.

    Massimo Piceni
    Guest, Jun 23, 2006
    #1
    1. Advertising

  2. Hi,

    yes this is possible - there are some steps necessary

    - ssl must be enabled
    - in IIS / directory security / secure communication you can specify that
    you accept client certificates (IE will transparently use the certs from
    the smartcard on the client)

    in ASP.NET you can query for client cert with Context.Request.ClientCertificate.IsPresent,
    and if you trust the cert, you can issue an authentication ticket without
    requiring cleartext credentials. A module would be a good place for that.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > anyone has experience of Website login (AD Integrated) using a Smart
    > Card ? In actually using the ASP:Login control to login the users
    > usign they AD credentials. User also have a smart card that permit
    > them to logon locally to Windows XP clients. I'd like to have them
    > login on the extranet without having to insert username and password,
    > but just Smart Card and PIN. Is is possible ?
    >
    > Thanks.
    >
    > Massimo Piceni
    >
    Dominick Baier [DevelopMentor], Jun 23, 2006
    #2
    1. Advertising

  3. Guest

    Guest Guest

    Thank you Dominick for your fast reply.

    If I understand well, this means I've to check (trust) the certificate in
    some way and then bind it to the corresponding user. Is not possible to
    simply leave the work to AD, exacly as I do using ASP:login with Username
    and Password ?
    In any case, do you know where can I find some examples ? I'm not a Web
    programmer, but a system administrator and happens not very often that I
    program ASP.NET.

    Thanks a lot.

    Massimo.

    "Dominick Baier [DevelopMentor]" <> ha
    scritto nel messaggio
    news:...
    > Hi,
    > yes this is possible - there are some steps necessary
    >
    > - ssl must be enabled - in IIS / directory security / secure communication
    > you can specify that you accept client certificates (IE will transparently
    > use the certs from the smartcard on the client)
    >
    > in ASP.NET you can query for client cert with
    > Context.Request.ClientCertificate.IsPresent, and if you trust the cert,
    > you can issue an authentication ticket without requiring cleartext
    > credentials. A module would be a good place for that.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi,
    >>
    >> anyone has experience of Website login (AD Integrated) using a Smart
    >> Card ? In actually using the ASP:Login control to login the users
    >> usign they AD credentials. User also have a smart card that permit
    >> them to logon locally to Windows XP clients. I'd like to have them
    >> login on the extranet without having to insert username and password,
    >> but just Smart Card and PIN. Is is possible ?
    >>
    >> Thanks.
    >>
    >> Massimo Piceni
    >>

    >
    >
    Guest, Jun 23, 2006
    #3
  4. Hello Massimo,

    If you want to authenticate the extranet user totally with AD, you may
    consider a solution a VPN conncetion. Extranet user can build a VPN
    conncetion to your intranet and authenticate with Smart Card and AD. After
    the VPN connection is built, it just like the user is in your intranet, and
    you can still use the original ASP.NET application without any additional
    programming work.

    Regards,

    Luke Zhang
    Microsoft Online Community Lead

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Luke Zhang [MSFT], Jun 26, 2006
    #4
  5. Guest

    Guest Guest

    Hi Luke,

    thanks for your suggestion, but I don't like to enable a VPN access, because
    I think is not needed and will increase a lot the impact of a security
    incident. External users just need to access a Website, not any other
    network resource, so I think a VPN is too much for this purpose.

    Thanks anyway for your reply.

    Massimo.
    Guest, Jun 26, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DavidADEW
    Replies:
    2
    Views:
    2,694
    DavidADEW
    Sep 1, 2006
  2. Sasquatch
    Replies:
    2
    Views:
    1,280
    Sasquatch
    Oct 3, 2006
  3. rockdale
    Replies:
    5
    Views:
    685
    Chad Scharf
    Jul 5, 2007
  4. Marek Marecki

    SmartCard PKI

    Marek Marecki, Sep 12, 2007, in forum: Java
    Replies:
    3
    Views:
    364
    Rogan Dawes
    Sep 13, 2007
  5. manu
    Replies:
    1
    Views:
    774
    Evans
    Jul 20, 2008
Loading...

Share This Page