CAC single sign on/authentication in a Client/Server C++

[Tim Tierney]

Douglas,

Thank you for you reply.  

Quick overview.  I have ActivIdentiy and a CAC/PKI Domain setup and
users are authenticating on my client (XP) to a Windows 2003 server
using their CAC cards.

In response to "After login, Windows and the LSA would already have a
TGT for the user, so it is not clear why you need to get another one. It
addition to passing the certificate you will also need access to the
card to sign responses for PKINIT. (Or TLS.)"


My apps are C++/COM Windows based and not using IE at all.  My client
app is running on XP and has access to the CAC card/certificate.  I need
to pass information (I assume the public ID certificate) to my Server so
I can impersonate the client's logged on user on the Server.  I was
hoping to get a Kerberos TGT on the server to give me more access.  This
is what I'm lacking info about how to implement.

Currently I've created a SSL connection to get the security access token
of my client user on the server.  I have set up a TCP socket connection
to talk between the client/server so I can go back to the card. 

Thanks again,

-Tim


-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, April 07, 2009 10:18
To: Tim Tierney
Cc: krbdev at mit.edu
Subject: Re: CAC single sign on/authentication in a Client/Server C++



Tim Tierney wrote:
> Hello,
> 
> I'm am trying to develop a Common Access Card client/server solution 
> using
> C++ and I'm looking for reference material/documentation.  I'd assume 
> C++ I need
> PKInit extensions as well.
> 
> My client will be running on XP, server could be on XP or Windows 2003

> server, and the KDC server will be Windows 2003.  Users will be 
> required to login with their CAC/Smart Card (certificate logon).

We are doing something similar with the PIV cards. As I understand CAC
cards are being converted to PIV.

There are a couple of routes:

   For Windows login, you will need a windows CSP that understands
CAC/PIV.
   Windows 7 has this built in, for PIV at least.

   ActivCard has middleware to do this on XP and Vista.

   Use an open source CSP, like the CoolKey CSP, but since Microsoft is
   going to support PIV we gave up on using CoolKey.

> 
> My client will have a CAC (Common Access Card) Card reader, using a 
> certificate based logon.

I.E. Windows uses PKINIT, and gets a TGT for the user.

> After a successful logon, I would like to pass the public certificate 
> to my server application running as a Service (Local
> System acct).   I would like my server to talk to the KDC to obtain a
> Kerberos TGT.  Then I can impersonate or create processes as the 
> CAC/Smart Card user.

After login, Windows and the LSA would already have a TGT for the user,
so it is not clear why you need to get another one. It addition to
passing the certificate you will also need access to the card to sign
responses for PKINIT. (Or TLS.)

> 
> Is this even possible?  
> 
> Is there any documentation that someone can point me too that I can 
> use as a reference?  I have been searching the forum and I didn't find

> any information yet.  I'm still looking.

Google for:
ActivCard CAC
CAC PKINIT
CAC pkcs#11
Windows 7 PIV smart card
Windows PKINIT CAC

> 
> I'm do not need to talk to the card (I've got that code).  It is the 
> authentication mechanism between the client/server app that I need 
> direction on.

Once you login you have Kerberos tickets.

IE can also use the CSP for TLS.  Netscape/FireFox/Thunderbird  can use
PKCS#11 to access a card too.

> 
> Any pointers/help would be greatly appreciated.
> 
> -Tim
> 
> P.S.  If I'm not supposed to post this type of question here please 
> let me know.

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444