8 Replies Latest reply on Oct 15, 2013 8:59 AM by Donald Baert

    Enabling CAC authentication using IIS7 and CF10

    cbowie75

      I am currently working on a web application written in CF running on IIS7 and CF10 server.  We need to replace our login page where our users supply username and password w/ CAC login.  The goial being for users to be prompted to enter thier 6 digit PIN assciated w/ their CAC to login to the application as opposed to the username and password thery are currently using.  If anyone has any suggestions on how to accomplish it would be much appreciated.

        • 1. Re: Enabling CAC authentication using IIS7 and CF10
          Aegis Kleais Level 3

          I thought CAC was just the card number + pin, right?

           

          The CAC is scanned and the user enters a pin number.  Since CF cannot interact with the CAC, can the hardware be programmed to send the information to a CFC via an HTTP request?

           

          Like //server/folder/file.cfc?method=authenticateCACRequest&cardID=XXXXXXXXXXXXXXXXXXXXXXXXXXX &pin=YYYYYY

           

          Then just write the code to check against the database and process the response.

          1 person found this helpful
          • 2. Re: Enabling CAC authentication using IIS7 and CF10
            Donald Baert

            The first step in being able to login with a CAC is making sure that the correct certificates are loaded on your web server.  If the right certs are there and the server can read the card it will store the users last name, first name and a unique user ID off of the card at the end of the CGI.cert_subject variable.  We added a field to our user database to store this number.  We then strip the name and number out of the CGI.cert_subject  and compare it to the database.  But the key is getting the right certificates on your server, require SSL and Require (or accept) certificate on the SSL Settings. Also, you must disable anonymous authentication and enable windows authentication if you require everyone to login.

             

            Hope this gets you started, if not let me know and I can provide some of our code snippets.

            • 3. Re: Enabling CAC authentication using IIS7 and CF10
              cbowie75 Level 1

              Thanks Donald!

               

              We were thinking that was the way to go.  Any pieces of code you'd be willing to share would be great.  Are you on GitHub?

              • 4. Re: Enabling CAC authentication using IIS7 and CF10
                Donald Baert Level 1

                Sorry, not on github but this snippet should get you the unique user number, their first name and last name.

                 

                <cfif CGI.auth_user NEQ ''>

                    <!--- Attempting to capture the User Number from the CGI cert_subject. --->

                    <!--- Gives us the beginning and end of the User Number--->

                    <cfset vCert = REFind('(\.[0-9]{10,10})',CGI.cert_subject,1,"TRUE")>

                     <!--- Get the  User Number --->

                    <cfset session.vUN = mid(CGI.cert_subject,vCert.pos[1]+1,vCert.len[1]-1)>

                    <!--- find where the CN= starts  --->

                    <cfset vCN = findnocase('CN=',CGI.cert_subject,1)>

                    <!--- grab the user's name from the CN --->

                    <cfset names = mid(CGI.cert_subject,vCN+3,len(CGI.cert_subject)- vCN - 3 - 10)>

                    <!--- find the store the domain name and user name from CGI.AUTH_USER  --->

                    <cfif find("\",CGI.AUTH_USER) gt 0>

                        <cfset domain = left(CGI.AUTH_USER,find("\",CGI.AUTH_USER,1)-1)>

                        <cfset SESSION.vDomain = domain>

                        <cfset user = right(CGI.AUTH_USER,len(CGI.AUTH_USER)-find("\",cgi.AUTH_USER,1))>

                    <cfelse>

                        <cfset domain = "">

                        <cfset SESSION.vDomain = domain>

                        <cfset user = CGI.AUTH_USER>

                    </cfif>

                    <!--- Split the first name and last name from the name variable captured from the CGI.AUTH_USER --->

                    <cfif findnocase('.',names,1) gt 1>

                        <cfset SESSION.vFirstName = right(names,len(names)-findnocase('.',names,1))>

                        <cfset SESSION.vLastName = left(names,findnocase('.',names,1)-1)>

                    <cfelse>

                        <cfset SESSION.vFirstName = "Anonymous">

                        <cfset SESSION.vLastName = names>

                    </cfif>

                   

                </cfif>

                1 person found this helpful
                • 5. Re: Enabling CAC authentication using IIS7 and CF10
                  King_FOX89

                  Donald,  Thank you for your post.  I work with cbowie75 and I follow what you are saying.  I think I am most interested in right now how you get the CGI variable from inserting the CAC card/pin to Coldfusion.  We are still working the certificates on the server, but how does the server read the card to get this information? 

                  • 6. Re: Enabling CAC authentication using IIS7 and CF10
                    Donald Baert Level 1

                    The certs have to be installed on the server before it will work and those certs have to pair up with the ones on your CAC.  Once the certs are there you must force IIS to look at them by setting the SSL to require a certificate and set authentication to windows (not anonymous).  By setting IIS to require certs it should force it to look for the CAC.  If it reads the CAC, it will populate the CGI.CERT_SUBJECT variable.  Getting the certs on the server really is the key.  I believe they have to be in the Intermediate Certificate Authorities.

                    1 person found this helpful
                    • 7. Re: Enabling CAC authentication using IIS7 and CF10
                      cbowie75 Level 1

                      Thanks so much Donald... we've installed test certs from JTIC and trust roots.  Next we're looking at certificate status checking.  Wondering of you could shed any light on OCSP configuration?

                      • 8. Re: Enabling CAC authentication using IIS7 and CF10
                        Donald Baert Level 1

                        I have not implemented OCSP yet so I can't help you there.  Our JITC certificates are loaded on our development network which does not connect to the Internet so OCSP probably will cause us lots of headaches.