CAC single sign on/authentication in a Client/Server C++

Douglas E. Engert deengert at anl.gov
Tue Apr 7 10:18:07 EDT 2009 


Tim Tierney wrote:
> Hello,
> 
> I'm am trying to develop a Common Access Card client/server solution using
> C++ and I'm looking for reference material/documentation.  I'd assume I need
> PKInit extensions as well.
> 
> My client will be running on XP, server could be on XP or Windows 2003
> server, and the KDC server will be Windows 2003.  Users will be required to
> login with their CAC/Smart Card (certificate logon).

We are doing something similar with the PIV cards. As I understand CAC
cards are being converted to PIV.

There are a couple of routes:

   For Windows login, you will need a windows CSP that understands CAC/PIV.
   Windows 7 has this built in, for PIV at least.

   ActivCard has middleware to do this on XP and Vista.

   Use an open source CSP, like the CoolKey CSP, but since Microsoft is
   going to support PIV we gave up on using CoolKey.

> 
> My client will have a CAC (Common Access Card) Card reader, using a
> certificate based logon. 

I.E. Windows uses PKINIT, and gets a TGT for the user.

> After a successful logon, I would like to pass the
> public certificate to my server application running as a Service (Local
> System acct).   I would like my server to talk to the KDC to obtain a
> Kerberos TGT.  Then I can impersonate or create processes as the CAC/Smart
> Card user.

After login, Windows and the LSA would already have a TGT for the user, so
it is not clear why you need to get another one. It addition to passing
the certificate you will also need access to the card to sign responses
for PKINIT. (Or TLS.)

> 
> Is this even possible?  
> 
> Is there any documentation that someone can point me too that I can use as a
> reference?  I have been searching the forum and I didn't find any
> information yet.  I'm still looking.

Google for:
ActivCard CAC
CAC PKINIT
CAC pkcs#11
Windows 7 PIV smart card
Windows PKINIT CAC

> 
> I'm do not need to talk to the card (I've got that code).  It is the
> authentication mechanism between the client/server app that I need direction
> on.

Once you login you have Kerberos tickets.

IE can also use the CSP for TLS.  Netscape/FireFox/Thunderbird  can use PKCS#11
to access a card too.

> 
> Any pointers/help would be greatly appreciated.
> 
> -Tim
> 
> P.S.  If I'm not supposed to post this type of question here please let me
> know.

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list