Copy link to clipboard
Copied
I am currently working on a web application written in CF running on IIS7 and CF10 server. We need to replace our login page where our users supply username and password w/ CAC login. The goial being for users to be prompted to enter thier 6 digit PIN assciated w/ their CAC to login to the application as opposed to the username and password thery are currently using. If anyone has any suggestions on how to accomplish it would be much appreciated.
The first step in being able to login with a CAC is making sure that the correct certificates are loaded on your web server. If the right certs are there and the server can read the card it will store the users last name, first name and a unique user ID off of the card at the end of the CGI.cert_subject variable. We added a field to our user database to store this number. We then strip the name and number out of the CGI.cert_subject and compare it to the database. But the key is getting the
...Copy link to clipboard
Copied
I thought CAC was just the card number + pin, right?
The CAC is scanned and the user enters a pin number. Since CF cannot interact with the CAC, can the hardware be programmed to send the information to a CFC via an HTTP request?
Like //server/folder/file.cfc?method=authenticateCACRequest&cardID=XXXXXXXXXXXXXXXXXXXXXXXXXXX&pin=YYYYYY
Then just write the code to check against the database and process the response.
Copy link to clipboard
Copied
The first step in being able to login with a CAC is making sure that the correct certificates are loaded on your web server. If the right certs are there and the server can read the card it will store the users last name, first name and a unique user ID off of the card at the end of the CGI.cert_subject variable. We added a field to our user database to store this number. We then strip the name and number out of the CGI.cert_subject and compare it to the database. But the key is getting the right certificates on your server, require SSL and Require (or accept) certificate on the SSL Settings. Also, you must disable anonymous authentication and enable windows authentication if you require everyone to login.
Hope this gets you started, if not let me know and I can provide some of our code snippets.
Copy link to clipboard
Copied
Thanks Donald!
We were thinking that was the way to go. Any pieces of code you'd be willing to share would be great. Are you on GitHub?
Copy link to clipboard
Copied
Sorry, not on github but this snippet should get you the unique user number, their first name and last name.
<cfif CGI.auth_user NEQ ''>
<!--- Attempting to capture the User Number from the CGI cert_subject. --->
<!--- Gives us the beginning and end of the User Number--->
<cfset vCert = REFind('(\.[0-9]{10,10})',CGI.cert_subject,1,"TRUE")>
<!--- Get the User Number --->
<cfset session.vUN = mid(CGI.cert_subject,vCert.pos[1]+1,vCert.len[1]-1)>
<!--- find where the CN= starts --->
<cfset vCN = findnocase('CN=',CGI.cert_subject,1)>
<!--- grab the user's name from the CN --->
<cfset names = mid(CGI.cert_subject,vCN+3,len(CGI.cert_subject)- vCN - 3 - 10)>
<!--- find the store the domain name and user name from CGI.AUTH_USER --->
<cfif find("\",CGI.AUTH_USER) gt 0>
<cfset domain = left(CGI.AUTH_USER,find("\",CGI.AUTH_USER,1)-1)>
<cfset SESSION.vDomain = domain>
<cfset user = right(CGI.AUTH_USER,len(CGI.AUTH_USER)-find("\",cgi.AUTH_USER,1))>
<cfelse>
<cfset domain = "">
<cfset SESSION.vDomain = domain>
<cfset user = CGI.AUTH_USER>
</cfif>
<!--- Split the first name and last name from the name variable captured from the CGI.AUTH_USER --->
<cfif findnocase('.',names,1) gt 1>
<cfset SESSION.vFirstName = right(names,len(names)-findnocase('.',names,1))>
<cfset SESSION.vLastName = left(names,findnocase('.',names,1)-1)>
<cfelse>
<cfset SESSION.vFirstName = "Anonymous">
<cfset SESSION.vLastName = names>
</cfif>
</cfif>
Copy link to clipboard
Copied
Donald, Thank you for your post. I work with cbowie75 and I follow what you are saying. I think I am most interested in right now how you get the CGI variable from inserting the CAC card/pin to Coldfusion. We are still working the certificates on the server, but how does the server read the card to get this information?
Copy link to clipboard
Copied
The certs have to be installed on the server before it will work and those certs have to pair up with the ones on your CAC. Once the certs are there you must force IIS to look at them by setting the SSL to require a certificate and set authentication to windows (not anonymous). By setting IIS to require certs it should force it to look for the CAC. If it reads the CAC, it will populate the CGI.CERT_SUBJECT variable. Getting the certs on the server really is the key. I believe they have to be in the Intermediate Certificate Authorities.
Copy link to clipboard
Copied
Thanks so much Donald... we've installed test certs from JTIC and trust roots. Next we're looking at certificate status checking. Wondering of you could shed any light on OCSP configuration?
Copy link to clipboard
Copied
I have not implemented OCSP yet so I can't help you there. Our JITC certificates are loaded on our development network which does not connect to the Internet so OCSP probably will cause us lots of headaches.