Enabling CAC authentication using IIS7 and CF10

Report · Oct 02, 2013

I am currently working on a web application written in CF running on IIS7 and CF10 server. We need to replace our login page where our users supply username and password w/ CAC login. The goial being for users to be prompted to enter thier 6 digit PIN assciated w/ their CAC to login to the application as opposed to the username and password thery are currently using. If anyone has any suggestions on how to accomplish it would be much appreciated.

Report · Oct 02, 2013

I thought CAC was just the card number + pin, right?

The CAC is scanned and the user enters a pin number. Since CF cannot interact with the CAC, can the hardware be programmed to send the information to a CFC via an HTTP request?

Like //server/folder/file.cfc?method=authenticateCACRequest&cardID=XXXXXXXXXXXXXXXXXXXXXXXXXXX&pin=YYYYYY

Then just write the code to check against the database and process the response.

Report · Oct 02, 2013

The first step in being able to login with a CAC is making sure that the correct certificates are loaded on your web server. If the right certs are there and the server can read the card it will store the users last name, first name and a unique user ID off of the card at the end of the CGI.cert_subject variable. We added a field to our user database to store this number. We then strip the name and number out of the CGI.cert_subject and compare it to the database. But the key is getting the right certificates on your server, require SSL and Require (or accept) certificate on the SSL Settings. Also, you must disable anonymous authentication and enable windows authentication if you require everyone to login.

Hope this gets you started, if not let me know and I can provide some of our code snippets.

Report · Oct 03, 2013

Thanks Donald!

We were thinking that was the way to go. Any pieces of code you'd be willing to share would be great. Are you on GitHub?

Report · Oct 03, 2013

Sorry, not on github but this snippet should get you the unique user number, their first name and last name.

</cfif>

</cfif>

Report · Oct 03, 2013

Donald, Thank you for your post. I work with cbowie75 and I follow what you are saying. I think I am most interested in right now how you get the CGI variable from inserting the CAC card/pin to Coldfusion. We are still working the certificates on the server, but how does the server read the card to get this information?

Report · Oct 03, 2013

The certs have to be installed on the server before it will work and those certs have to pair up with the ones on your CAC. Once the certs are there you must force IIS to look at them by setting the SSL to require a certificate and set authentication to windows (not anonymous). By setting IIS to require certs it should force it to look for the CAC. If it reads the CAC, it will populate the CGI.CERT_SUBJECT variable. Getting the certs on the server really is the key. I believe they have to be in the Intermediate Certificate Authorities.

Report · Oct 15, 2013

Thanks so much Donald... we've installed test certs from JTIC and trust roots. Next we're looking at certificate status checking. Wondering of you could shed any light on OCSP configuration?

Report · Oct 15, 2013

I have not implemented OCSP yet so I can't help you there. Our JITC certificates are loaded on our development network which does not connect to the Internet so OCSP probably will cause us lots of headaches.

Adobe Community

Enabling CAC authentication using IIS7 and CF10

1 Correct answer