CAC single sign on/authentication in a Client/Server C++
TTierney at ecopy.com
Tue Apr 7 10:43:19 EDT 2009
Thank you for you reply.
Quick overview. I have ActivIdentiy and a CAC/PKI Domain setup and
users are authenticating on my client (XP) to a Windows 2003 server
using their CAC cards.
In response to "After login, Windows and the LSA would already have a
TGT for the user, so it is not clear why you need to get another one. It
addition to passing the certificate you will also need access to the
card to sign responses for PKINIT. (Or TLS.)"
My apps are C++/COM Windows based and not using IE at all. My client
app is running on XP and has access to the CAC card/certificate. I need
to pass information (I assume the public ID certificate) to my Server so
I can impersonate the client's logged on user on the Server. I was
hoping to get a Kerberos TGT on the server to give me more access. This
is what I'm lacking info about how to implement.
Currently I've created a SSL connection to get the security access token
of my client user on the server. I have set up a TCP socket connection
to talk between the client/server so I can go back to the card.
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Tuesday, April 07, 2009 10:18
To: Tim Tierney
Cc: krbdev at mit.edu
Subject: Re: CAC single sign on/authentication in a Client/Server C++
Tim Tierney wrote:
> I'm am trying to develop a Common Access Card client/server solution
> C++ and I'm looking for reference material/documentation. I'd assume
> C++ I need
> PKInit extensions as well.
> My client will be running on XP, server could be on XP or Windows 2003
> server, and the KDC server will be Windows 2003. Users will be
> required to login with their CAC/Smart Card (certificate logon).
We are doing something similar with the PIV cards. As I understand CAC
cards are being converted to PIV.
There are a couple of routes:
For Windows login, you will need a windows CSP that understands
Windows 7 has this built in, for PIV at least.
ActivCard has middleware to do this on XP and Vista.
Use an open source CSP, like the CoolKey CSP, but since Microsoft is
going to support PIV we gave up on using CoolKey.
> My client will have a CAC (Common Access Card) Card reader, using a
> certificate based logon.
I.E. Windows uses PKINIT, and gets a TGT for the user.
> After a successful logon, I would like to pass the public certificate
> to my server application running as a Service (Local
> System acct). I would like my server to talk to the KDC to obtain a
> Kerberos TGT. Then I can impersonate or create processes as the
> CAC/Smart Card user.
After login, Windows and the LSA would already have a TGT for the user,
so it is not clear why you need to get another one. It addition to
passing the certificate you will also need access to the card to sign
responses for PKINIT. (Or TLS.)
> Is this even possible?
> Is there any documentation that someone can point me too that I can
> use as a reference? I have been searching the forum and I didn't find
> any information yet. I'm still looking.
Windows 7 PIV smart card
Windows PKINIT CAC
> I'm do not need to talk to the card (I've got that code). It is the
> authentication mechanism between the client/server app that I need
> direction on.
Once you login you have Kerberos tickets.
IE can also use the CSP for TLS. Netscape/FireFox/Thunderbird can use
PKCS#11 to access a card too.
> Any pointers/help would be greatly appreciated.
> P.S. If I'm not supposed to post this type of question here please
> let me know.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev