Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
http://support.microsoft.com/kb/892424
When the “Smart card is required for interactive logon” is set on Active Directory, it generates a random password. How do I utilize a smart card to authenticate a user over LDAP from a web application?
How do I know who the user is? Is there a way to access the cert? Can I get it from the session?
HTTPS and SSL mutual authentication should be used for this, because client already has at least corporate CA-signed certificate on its smart card stored.
When mutual SSL authentication is used instead just server authentication, the client certificate is also verified by server, not only the server’s certificate by client (which is more common set-up for e.g. HTTPS enabled e-commerce sites). And you still get encrypted connection as a bonus.
See e.g. Tomcat 6.0 SSL Configuration HOW-TO. The key point is to have the CA certificate in the trust-store and clientAuth attribute set to true.
The login auth-method should be also specified to CLIENT-CERT in web.xml of the respective web-application:
SubjectDN attribute from the client certificate is used to identify the user. LDAP (or ActiveDirectory) can be still used for authorization – e.g. by checking if user belongs to a group.
It can be difficult to set it all on the first time. To get familiar with all the concepts I recommend following approach: