CAC single sign on/authentication in a Client/Server C++

Tim Tierney ttierney at
Mon Apr 6 11:42:51 EDT 2009


I'm am trying to develop a Common Access Card client/server solution using
C++ and I'm looking for reference material/documentation.  I'd assume I need
PKInit extensions as well.

My client will be running on XP, server could be on XP or Windows 2003
server, and the KDC server will be Windows 2003.  Users will be required to
login with their CAC/Smart Card (certificate logon).

My client will have a CAC (Common Access Card) Card reader, using a
certificate based logon.  After a successful logon, I would like to pass the
public certificate to my server application running as a Service (Local
System acct).  I would like my server to talk to the KDC to obtain a
Kerberos TGT.  Then I can impersonate or create processes as the CAC/Smart
Card user.

Is this even possible?  

Is there any documentation that someone can point me too that I can use as a
reference?  I have been searching the forum and I didn't find any
information yet.  I'm still looking.

I'm do not need to talk to the card (I've got that code).  It is the
authentication mechanism between the client/server app that I need direction

Any pointers/help would be greatly appreciated.


P.S.  If I'm not supposed to post this type of question here please let me
View this message in context:
Sent from the Kerberos - Dev mailing list archive at

More information about the krbdev mailing list