locked
Need to integrate CAC Card Authentication with ASP.NET Membership Provider RRS feed

  • Question

  • User-1486895313 posted

    I have worked on two web development projects for the DoD, and they use CAC cards for authentication.  I have gotten as far as being able to pull information off of the CAC card, store it in a UserAuth table (SQL Server 2005 Std), however the problem is that my web.sitemap is using roles authentication to determine if the user has rights to see certain areas of the web application.  When I allow the user access to the application based on thier valid CAC information, and then bypass the member login form, I loose my sitemap.

     How can I allow CAC card authentication and still use the ASP.Net Membership provider to provide roles authentication for my web application?

    This is a huge deal, so any suggestion would be great.

    Thank you.

    Thursday, December 4, 2008 9:02 AM

All replies

  • User666985863 posted

    B,

    I too worked for DoD for the longest time developing applications. I would need to know a little more about your environment.

    1. Is this an intranet site or available to the outside world.

    2. Is the basis of your login form using AD authentication....example: Maybe bouncing off the LDAP servers for AKO like my application did...

    I believe that all you really need to do is to write yourself a simple custom roles and membership provider for your application. It seems that your current system you have set up may be bypssing the login form but is not actively engaging in the authentication process. You can tie into the membership provider and basically do an 'automatic' login for the user if their CAC authentication passes the sniff test.

    Hope this helps you out man. DoD's regs can be a pain in the rear[:D]

     

    AJ

    Thursday, December 4, 2008 9:21 AM
  • User-1486895313 posted

    I am developing in ASP.NET 3.5 and C# using a SQL Server 2005 Developer Edition database.  I am not bouncing off LDAP, AD or anything.  Membership accounts are created from within the site using the built in Create User Wizard. 

    You seem to have a good grasp on what I am doing, and the pain that I am going through with CoN, DIACAP, etc., and the "automatic" login if the CAC passes the test sounds good, but how can I accomplish this. 

    The current authentication is basic ASP Membership out of the box configuration.  Create User Wizard, Forgot Password Wizard, and Change Password Wizard.  I have added some wizard steps to the create user wizard for assigning roles and adding personal information to my own table (not a table provided by the membership).  I just can't figure out how to authenticate the user to the membership provider based on a valid CAC only, without having the user login with UserName and PWD at the form.  I am using forms authentication. 

    Thanks

    Thursday, December 4, 2008 9:42 AM
  • User666985863 posted

    OKay so what I would do if I were you to keep things simple is this. You obviously have the automatic login piece actually already done since you stated that if they are CAC authenticated then they get ot the page but you lose your sitemap. So you know that parts works. Now what you need to do is to do the following in you code following the success of the CAC authentication call.....

     1. CAC authentication returns success.

    2.  Then you need to make a call to get the username for the user from your custom tables.

    3. Then just call FormsAuthentication.RedirectFromLoginPage(username, boolean)  <---the boolean value tells it if you want the cookie to be persistant or not...obviously CAC would be a NO..LOL

     You should be golden now! The reason that your CAC user gets in with no roles is that you need to populate the cookie based upon the username in the security framework. You should be able to pull enough information off the card to be able to match it against a user. If you are having the users sign up for access...AKA moderated access...in which you then go in and authorize. Then part of the process could be you caching the information that they come into the site with on their CAC card(especially the UID <-unique identifier) so that you can post that to your security mapping table X_Username = Y_CAC_UID.  This should work since you can guarantee that everyone will have a CAC card since all the DOD sites are supposed to be CAC enabled.

     

    Hope this helps you out.


    AJ

    Thursday, December 4, 2008 9:12 PM
  • User-1486895313 posted

    AJ ~

    I can definately pull enough information off of the CAC (SerialNumber and AKO UserID) and store it in a table which references the ASP.NET user table in order to get the Membership UserName.  This is easy. 

    Basically I do all of this on my default page.  IIS is set-up to REQUIRE Client Certificates (SSL), so the user cannot even get to the site if they do not have a valid DoD X.509 certificate on the client.  Once ISS passes this, the user is sent to the default.aspx page, where I get the serial number off the CAC, and check it against my table to get the UserName.  If the UserName is found, then this is where I get stuck. 

    I use my default page twice, once when you first enter the site, user must click the login button.  This takes the user to the MemeberLogin.aspx page where the forms authentication is.  I check to see if user is authenticated....if(!User.Identity.IsAuthenticated). 

    User.Identity.IsAuthenticated cannot take any parameters, so I cannot tell the Membership provider that this == true.  Once the user has entered UserName and Password, then they are redirected to the Default.aspx page again, where they get a welcome message and the navigation is loaded. 

    I need to bypass the MemberLogin.aspx page all together, are you saying that the FormsAuthentication.RedirectFromLoginPage(username, boolean) is how I would do this?

    Friday, December 5, 2008 8:15 AM
  • User-1069045755 posted

    AJ,

    Its bfancett using a new account.  I couldn't get my password reset to work.  You were correct, the FormsAuthentication.RedirectFromLoginPage(string, bool) works, and the navigation menu loads with the correct role permission and everything.  However, when I click on anything in my navigation, I don't get redirected to the page that I am trying to get to, I just stay at the Default page.

     In my web.config My Login page is set at Default.aspx.  There is no Login Control on the Default page anymore.  The Deafult.aspx page has a login button, where after verifying the CAC, I have the FormsAuthentication.RedirectFromLoginPage(string, bool) method.  Clicking the Login button loads the LoginView control with my username, and the navigation loads just fine too, but I cannot navigate anywhere. 

    Any idea what the problem is with this?

     Thank you,

    Brian

    Friday, January 9, 2009 9:30 AM
  • User1227271176 posted

    I work for DoD also. I need to implement CAC login too. Is it possible that I can borrow your code accessing the CAC.

    Wednesday, May 27, 2009 12:13 PM
  • User-1069045755 posted
    Please send me an email from your work email address.  Mine is: brian.fancett@us.army.mil
    Wednesday, May 27, 2009 12:18 PM
  • User-175288231 posted

     

    Hi Brian

    I am new to this site but I found very interesting discussion. I am working for a DOD project. I am in the early stage of developing a web application which needs CAC login. Before writing something I am trying to figure out what I need. My dev box has a CAC Reader and I have installed ActivClient software (from AKO site) and certificate.  Do I need any software development Kit from ActivClient? appreciate your reply......Sam

    Tuesday, October 27, 2009 4:15 PM
  • User-1767982903 posted

     Hello!?

    How can I pull the "email" from a DoD CAC Card?

    Tuesday, January 12, 2010 12:36 PM
  • User-1069045755 posted

    Once you request the client certificate from IIS you can grab anything that is stored in that certificate.

    HttpRequest.ClientCertificate cc = new HttpRequest.ClientCertificate();

    string str = cc.Subject.ToString();  ........ should give you everything you are looking for, you'll just have to parse through the string str to get what you want.

    Tuesday, January 12, 2010 12:44 PM
  • User-1767982903 posted

    I'm trying to implement trusted authentication within Business Objects, however, appears the best route is to pull the email from the CAC, and authenticate to BO by using the email address of the users as the user ID to ensure a 1:1 (relative) relationship.

    I have the BO side configure,  now just need an "enter" button that would pass the cac email, authenticate against BO

    whallah - SSO!

     this is similar to a query string, yes?

    Tuesday, January 12, 2010 12:55 PM
  • User-1069045755 posted

    If you are looking to authenticate to your BO using the email address of the user off the CAC certificate, I would highly recommend against it.  If somebody gets married or what have you, and they change thier last name, thier email address will change and your authentication will fail. 

    A better idea would be to use the 10 digit CAC identifier code.  This 10 digit number never changes, even if the user gets a new CAC card.  Here is how to get that 10 digit number, as well as the first name, middle initial, and last name of the user.

     

            HttpClientCertificate cs = Request.ClientCertificate;
            string[] subjectArray = cs.Subject.Split(',');
    
    //Holds the entire contents of the subject line.
            string entireSubjectLine = cs.Subject.ToString();
    
      	//gets the total length of the subject line
            int subjectLineLength = entireSubjectLine.Length;  
    
    //-10 grabs the start of the 10 digit CAC identifer code for the user.
            int startOfCacIdentifierPosition = subjectLineLength - 10; 
    
    string cacIdentifier = entireSubjectLine.Substring(startOfCacIdentifierPosition, 10);
            
            string[] arr = subjectArray[5].Split(' ');
            string[] user = arr[1].Split('=');
            StringBuilder sb = new StringBuilder();
            foreach (string field in user)
            {
                sb.Append(field);
            }
            sb.Remove(0, 2);
            
            string str1 = sb.ToString();
            string[] sArr1 = str1.Split('.');
            string lastName = sArr1[0].ToString();
            string firstName = sArr1[1].ToString();
            string MI = sArr1[2].ToString();
            string Id = cacIdentifier; //10 Digit Unique CAC identifier
    


     

    As you can see, you now have 4 strings (lastName, firstName, MI, and Id).  Id is the 10 digit Unique CAC Identifier that you should use for authentication or lookup purposes.

    You can place this code in the Page_Load event, a button click event, or whatever you would like.  Keep in mind that in order for this to work, IIS has to be configure to accept or require client certificates.  If you choose to require client certificates, the users will have to enter thier CAC PIN prior to being able to see the default web page, and you will have to use SSL.

    Hope this helps, and please mark as answer if it does.

    Regards,

    Brian

    Wednesday, January 13, 2010 7:37 AM
  • User-1767982903 posted

    BRIAN!  This is fantastic...

    Only thought,  the BO User ID's are used to match to against the CAC info for Trusted Authen to work (with the SharedSecret).  But if I was to try to implement the CAC ID, I would have to request each of our 3,000 users to supply their CAC ID's, and then populate BO accordingly.

    This is why I was thinking the email route - we have a help desk and they constantly reset peoples passwords.  Although emails may change due to the reasons you have stated,  I see the manual effort going the email route as much less than populating all of our users BO User ID's with their CAC ID's.

    Unless, of course, I'm missing something!

    Wednesday, January 13, 2010 11:09 AM
  • User-1069045755 posted

    Yeah, for 3,000 users it would be a pain! 

    This is what the entire subject line of the cleint certificate looks like, as an example just so you know:

    C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=FANCETT.BRIAN.P.1245703429 


    Here's the main problem with using the email address for authentication, and REALLY consider this.  For DoD purposes, there are at least 2 certificates on a users CAC, the ID Certificate, and the Signature Certificate.  When I, and all my other users authenticate to my application, and IIS prompts the Active Client window, which then prompts you to select a certificate, we usually select the ID Certificate, because it's the first one in the list.

    The ID Certificate does NOT contain the users email address, only the Signature Certificate contains the emails address!  So, if you ever had a user that selected the ID Certificate, they wouldn't be able to authenticate, and even worse, unless you catch the exception in code your application will crash because the value you are looking for (email) does not exist.

    It's for this reason, and this reason alone, that the 10 digit ID is best, because it is present on both certificates, and it's the only thing guarenteed NEVER to change.

    Now, the way that I handle getting the ID for all my users, is that they must send me a digitally signed email requesting access to the application.  I then grab the 10 digit ID from their digital signature in the email, and add it to my database.  Also, you can look them up from the following website:

    https://crl.gds.disa.mil

    Now, this doesn't solve your problem of manually adding the ID for 3,000 users, so maybe what I would do is this.  As part of your application, you'll have to have a "Register CAC Information" page, where users will enter their AKO, NKO, etc., email address into a form, along with thier first, middle initial, and last name.  You can then compare this information against the CAC which they just accessed the site with (which is secure becuase if it isn't valid Active Client will tell IIS not to allow access), using the code I provided, and then perform your database operations, like so:

    1.)  Look up email address in database, if email is valid then

    2.)  Compare the First name, MI, and last name entered by the user with the values from the client certificate, if they match, then

    3.)  Add the 10 digit ID to the database as part of your BO.

    A lot of sites, when they had to comply with the new DISA STIG of CAC authentication, had to do the very same thing, by where users had to "Register" thier CAC information on the site.

    Let me know your thoughts.

    Wednesday, January 13, 2010 11:41 AM
  • User-1767982903 posted

    Very Impressive and I have to concurr with what you have provided - some manual work on my end, however, will be worth it in the long run.

    I ran "response.write("CAC =" & Request.ClientCertificate()) and retrieved the whole "string",  not seeing an email was a little bit of a surprise.

    You have saved me so much "what the heck am I doing" research and work!!!

     

    Thanks so much

     

    Wednesday, January 13, 2010 12:04 PM
  • User-1069045755 posted

    No problem at all.  You'd be amazed how many people from within the DoD have found the same posting you found and contacted me.  If you provide me with your work email address I will send you a white paper that goes over the entire implementation.

    I'm glad that I helped!

    Brian 

    Wednesday, January 13, 2010 1:22 PM
  • User-1767982903 posted

    michael.bujarski@wpafb.af.mil

    White paper,  that would be great, thanks so much!   

    Wednesday, January 13, 2010 1:37 PM
  • User-762180336 posted

    I need more of this!

    If anyone has documentation; a book, a white paper, a napkin... whatever!

    I have been charged with building a personnel database with a web front-end on our intranet. My requirements are two-fold:

    1. Existing personnel (with CAC+AD account) must complete an online wizard and submit their information. I need to tie their personnel record to their AD account for edits on subsequent visits.
    2. New personnel (with CAC-AD account) must complete same/similar online wizard, accept the application would initiate the AD account creation process to be completed/enabled by an administrator later.

    So I need to implement both anonymous access and Windows authentication. Should I separate these into two web applications? Since this is NIPR maybe I could employ the DISA catalog for authentication. Thoughts? I've never accessed that catalog programatically.

    I'm relatively new to ASP.NET C# programming coming from a Java background. I have built two relatively simple ASP.NET web applications but cracking the CAC certificate has proven beyond my reach. In the second requirement, I just want to crack it open and get what I need out of it. I don't want/need to authenticate the user.

    Any suggestions would help at this point because this project is dead in the water if I stay at the helm.

    Wednesday, January 20, 2010 3:16 PM
  • User-219548500 posted

    Hi, I would just like to say that I am on of those that found your posting really useful.  I have been assigned a project where I need to implement CAC login for a sharepoint website.  I am interested in this white paper that goes over the implementation you provided.  My email is ecrisostomo@eggnorfolk.com.  Thanks in advance.


    Tuesday, January 26, 2010 11:40 AM
  • User-1167183579 posted

    Brian,

     

    this posting has been a great help.

    I am working on similar software but was wondering if it were possible to pull Other Information from the CAC as well as the X509 certificates

    through the web browser. I get the certificate information, but we would also like to be able to access the "personal information" on the card.

    ActivClient pulls this information, is it feasible via the browser?

    Your white paper woudl quite helpful as well.

    Thank You,

    Kevin James

    kevinDOTjames12ATngDOTarmyDOTmil

     

    Wednesday, January 27, 2010 4:37 PM
  • User1543260592 posted

    Could You send me the white paper for CAC Card (Tommy.Smith@us.army.mil

    Friday, May 21, 2010 9:40 AM
  • User-1590483902 posted

    Brian,

    I too would be interested in your code.  I am using LDAP but would like use CAC authentication. 

    Wednesday, May 26, 2010 7:00 AM
  • User-1387409847 posted

    Has anyone encountered a situation where a PIN  needs to be entered for different file types? I notice on my asp.net app that I need to enter the card pin initially for an ASPX, once again for a call to an ASHX and once more for a call to an ASMX. I'm able to access the card information in code afterwards and hook into a custom membership and role provider.

    Wednesday, May 26, 2010 7:14 PM
  • User-1069045755 posted

    Hey everyone, it's bfancett. 

    Please do not email me at my army email address requesting the whitepaper I wrote from a gmail, yahoo, or other commercial email address....I will not reply.  Additionally, anyone who finds this post helpful, I'm glad, but you should refer to the forge.mil CAC community forum for further corespondance on this topic.  If you don't have a CAC you won't be able to access this site, but if you don't have a CAC you probably shouldn't be testing CAC authentication, ya think?

    Regards,

    Brian 

    Tuesday, June 1, 2010 11:54 AM
  • User-1069045755 posted

    Just want to let everyone know that I now have a working implementation of CAC Authentication for .Net apps (web forms and MVC) for applications that run through a reverse proxy.  If anyone tried implementing my earlier solution on an application going through a reverse proxy and could not get it to work, it's becuase the reverse proxy device strips out the HTTP Header information, and causes you to loose your client certificate data.

    I have a new white paper with code for anyone who would like it.  Contact me through the usual channels or email.

    Thanks,

    Brian Fancett 

    Tuesday, June 22, 2010 8:08 AM
  • User1444871625 posted

    Hey Brian, Would like to see that white paper on that CAC Authentication for .Net apps.

    Thursday, March 3, 2011 1:52 PM
  • User-1859384865 posted
    Hello Brian, Checked out the Forge.mil site as you suggested, however, I could not locate your white paper. Could you please send it to me margie.lang@disa.mil? Thanks!
    Friday, April 22, 2011 1:39 PM
  • User1317119155 posted

    hello i too could not locate your white paper at the site you provided if you good send me a link or the white paper i would apreciate it

    michael.a.williams16@navy.mil

    Thursday, June 23, 2011 11:45 AM
  • User1293388710 posted

    SHOULD my authorization based off cac subject extraction resutling in a 10 digit cac id, be placed in a MasterPage ???

    Friday, October 21, 2011 9:44 AM