How do I authenticate a user with the "Smart card is required for interactive logon" set?

Question

http://support.microsoft.com/kb/892424

When the "Smart card is required for interactive logon" is set on Active Directory, it generates a random password. How do I utilize a smart card to authenticate a user over LDAP from a web application?

How do I know who the user is? Is there a way to access the cert? Can I get it from the session?

Answer 1

HTTPS and SSL mutual authentication should be used for this, because client already has at least corporate CA-signed certificate on its smart card stored.

When mutual SSL authentication is used instead just server authentication, the client certificate is also verified by server, not only the server's certificate by client (which is more common set-up for e.g. HTTPS enabled e-commerce sites). And you still get encrypted connection as a bonus.

See e.g. Tomcat 6.0 SSL Configuration HOW-TO. The key point is to have the CA certificate in the trust-store and clientAuth attribute set to true.

The login auth-method should be also specified to CLIENT-CERT in web.xml of the respective web-application:

...
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>Foo * Bar * Realm</realm-name>
</login-config>
...

SubjectDN attribute from the client certificate is used to identify the user. LDAP (or ActiveDirectory) can be still used for authorization - e.g. by checking if user belongs to a group.

It can be difficult to set it all on the first time. To get familiar with all the concepts I recommend following approach:

• Use BASIC auth-method with user-names and passwords stored in a file
• Use simple role-based authorization
• Enable CLIENT-CERT auth-method + simple role-based authorization
• Incorporate LDAP for checking roles