Smart Card (CAC) Authentication with IIS 8.5

In this example I will show you how to setup IIS to require smart card authentication using the DoD Root CA 2, but you can configure IIS to use any trusted root certificate authority.

For this example I am using Windows Server 2012 R2 (IIS 8.5), but these steps should also work for Windows Server 2008 R2 (IIS 7.5).

1. Install Root Certificates

The first step is to ensure you have the root certificates installed for the certificate authority you will authenticate against. For the DoD, we will install them using the “InstallRoot 4” application available at the IASE website: http://iase.disa.mil/pki-pke/.

Clipboard07

After the application installs, run “InstallRoot” and click on “Install Certs”. Verify that the DoD certificates are installed and subscribed.

Clipboard08

2. Configure the IIS Site for SSL

We now need to setup our website to use SSL. For this example, we will create a “self-signed” certificate. In IIS Manager, click on your server and choose “Server Certificates”.

Clipboard01

Choose “Create Self-Signed Certificate” for the list on the right. Give your certificate a name and choose “Web Hosting” for the certificate store.

Clipboard02

Next we need to bind the certificate to the website. Browse to your website and choose “Bindings”. Select “https” for the “Type” and choose the certificate we created earlier in the “SSL certificate” box.

Clipboard04

Now choose “SSL Settings”

Clipboard05

Check “Require SSL” and choose “Require” under “Client certificates”.

Clipboard06

Now when we browse to our website we are prompted for our smart card. Select your certificate and enter your pin and the website now loads.

Clipboard10

3. Certificate Trust List

At this point, we verified that our website is able to authenticate using our smart card, but there is a problem. Windows will authenticate any smart card that has a certificate issued by any certificate authority in the servers “Trusted Root Certificate Authority”. In order to limit which certificate authority can authenticate, we need to create a certificate trust list.

To create the Certificate Trust List (CTL) we will use the Microsoft MakeCTL.exe tool. Run this tool on the server “As Administrator” to start the CTL Wizard.

Clipboard11

Enter a name for your CTL in the “prefix” box. Click the “Add Purpose” button and enter 1.3.6.1.4.1.311.10.1 for the “Object ID”.

Click “Add from Store” and choose the root certificate authority that you will use for authentication.

Clipboard12

Click “Browse” on “Select Certificate Store” and make sure to check the “Show physical stores” box. Choose “Local Computer” under “Intermediate Certificate Authorities”.

Clipboard13

Complete the wizard. Use the same name (prefix) you used in the beginning for the the “Friendly name”.

Clipboard14

Now we need to associate the CTL with our website. Start an Administrative Command Prompt and type:

netsh http show sslcert

Note the IP Port, Certificate Hash, and Application ID. We also will need the friendly name of our CTL.

Clipboard15

Now we delete the existing SSL binding:

“netsh http delete sslcert ipport=0.0.0.0.:443”

Clipboard16

Now add the new binding with the CTL. Replace the ipport, certhash, appid, and sslctlidentifier with your unique configuration.

netsh http add sslcert ipport=0.0.0.0:443 certhash=e50a486ffd7b22431db143cfa24ffd61d9170890 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=”DoD CTL” sslctlstorename=CA

That’s it. Now the site should now only authenticate users who have certificates trusted by certificate authorities listed in the CTL.

Advertisements

About jasontarby

Enterprise Architect / Network Engineer at SRA International, Inc.
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Smart Card (CAC) Authentication with IIS 8.5

  1. snowburnt says:

    Where do we get the MakeCTL.exe tool??

  2. Kenny says:

    I have applied this to a SharePoint 2010 Foundation Server website on IIS7.5. It’s working but my question is how would I limit access to specific DoD CAC card users. I haven’t found a way to successfully add a CAC user via the SharePoint interface. Any ideas or suggestions?

  3. Jim says:

    Make sure that when running the netsh command in PowerShell, wrap the appid={4d…14} in quotes so appid='{4d…14}’

    Also, if you get a logon session error when running the netsh command, try appending certstorename=WebHosting onto the end.

    Also, make sure to add DoD Root CA 3 when creating the CTL since this was originally posted a couple of years ago.

    Great explanation and still useful. Thanks for posting!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s