Smart Card Authentication Module Update Released

3:14 PM j. montgomery 42 Comments

I’ve finally wrapped up updating the SmartCardAuthenticationModule. The link to the download is at the end of this post.

A complete write-up of the previous version can be located here:

Changes / Improvements

  • * Added support for ASP.NET Membership which means support for Profiles and Roles as well.
  • * Removed all custom database requirements from the Module. If custom DB access is needed this can be implemented in a Global event.
  • * Removed SmartCardPrincipal class. Smart Cards only help establish identity and don’t provide any roles membership information so I opted to remove the class and instead just wrap the identity into a GenericPrincipal. If the ASP.NET Role provider is being used, the Role module will automatically wrap the SmartCardIdentity in a RolePrincipal. Implementer's can also add custom event code in the Global to use any Principal of their choice.
  • * Added ASP.NET Health Monitoring events for auditing Success and Failed logins, as well as when Membership accounts are created.
  • * Added support for custom error pages on a 401 Unauthorized.
  • * Added the following Smart Card Authentication Module events:
    •     * Authenticate
    •     * FailedMembershipAuthentication
    •     * MembershipValidating
    •     * MembershipUserCreated
    •     * MembershipUserCreating

OOTB Behavior

The out of the box behavior for the Smart Card Authentication module is as follows:
  1. 1. With ASP.NET Membership – The first time a user visits the web site, the Smart Card Authentication Module will automatically create a Membership account in a disabled state. The new MembershipUser will not have access until the account is enabled through the Membership Admin. For users who visit the site have a Membership account. the Module will call the Membership.Validate() method and will only allow them access if their Smart Card is the same as it was when they enrolled and the account is enabled.
  2. 2. With ASP.NET Membership and ASP.NET Roles – The RolePrincipal will contain the SmartCardIdentity. IsInRole() checks will work as expected and the SmartCardIdentity will also be available.
  3. 3. Without ASP.NET Membership/RoleProvider enabled – the SmartCardAuthenticationModule will authenticate the user and attach a GenericPrincipal with NO ROLES to the HttpContext.User. To provide custom roles (when not using the ASP.NET RoleProvider), subscribe to the SmartCardAuthentication_Authenticate event in Global.asax and attach an IPrincipal containing the roles appropriate for authorization.


Configure the Web project to have a reference to the SmartCardAuthenticationModule. This can be accomplished in one of two ways:.
  1. 1. Add a reference to the SmartCardAuthentication.dll to the web application project
  2. 2. To have Smart Card Authentication Module source available in the solution, add the SmartCardAuthentication Project to the Solution containing your web project and then add a project reference to the SmartCardAuthenticationModule.
In IIS, install a SSL/TLS Certificate and for Client Certificates, make sure to check either Accept or Require for the Web Site or Application. For production environments, Require SSL checked and Require Client Certificates selected is recommended:

Additionally, make sure to Enable only Anonymous Authentication in IIS:

HTTP Modules are installed differently depending on which version of IIS being used.


Launch the Internet Information Services (IIS) Manager and install the SmartCardAuthenticationModule in the Modules Feature under IIS section like so:
1. Open IIS Manager and expand the web site / application to enable the module:

2. Choose the Modules Feature under the IIS section, then click Add Managed Module… in the Right hand Actions pane.


3. The Add Managed Module dialog box will pop up. In the Name box, type in a name like SmartCardAuthenticationModule. The drop-down should contain an entry for the assembly SmartCardAuthentication.SmartCardAuthenticationModule that was detected from adding a reference to the project. When the reference is added, the SmartCardAuthentication.dll should have been put in the /bin folder of the application.


4. Click OK.
The steps above add the following XML to the web.config:
      <add name="SmartCardAuthentication"
           preCondition="" />
NOTE: Only set preCondition=”managedHandler” if you want the Smart Card Authentication Module to protect ASP.NET pages. If you want the module to protect your images and other documents on the web server, make sure to leave preCondition empty.

IIS 5.1 / 6.0

For older versions of IIS, simply add the following XML to the web.config file in the root of the web application:

<?xml version="1.0"?>
      <add name="SmartCardAuthentication"


There are several events provided in the SmartCardAuthenticationModule that will override the Smart Card Authentication Module’s default behavior. These events can be overridden in the Global.asax.
The events are:
  • * Authenticate
  • * MembershipUserCreating
  • * MembershipUserCreated
  • * MembershipValidating
  • * FailedMembershipAuthentication
For the events to be properly wired up, they must be prefixed with the Module Name followed by an underscore. For example, to subscribe to the Authenticate event, the method name would be SmartCardAuthentication_Authenticate.

SmartCardAuthentication_Authenticate Event

The Authenticate event is used to override the default authentication behavior of the Smart Card Authentication Module.
By default, the Smart Card Authentication Module will authenticate all Smart Cards / Client Certificates allowed in by IIS unless Membership is used. The Module also will not assign any roles, unless using the ASP.NET RoleProvider. Using information from the X.509 certificate, authenticated users and retrieve their corresponding roles.
When implementing this event:

  • * For Authentication to be successful, attach a IPrincipal containing the SmartCardIdentity to the AuthenticationEventArgs.User property. Make sure to set the IsAuthenticated property to true.
  • * To signal the Smart Card Authentication Module that Authentication has failed, either set the AuthenticationEventArgs.User property to null, or attach the IPrincipal to the AuthenticationEventArgs.User property and set IsAuthenticated to false.
protected void SmartCardAuthentication_Authenticate(object sender,
                SmartCardAuthentication.AuthenticationEventArgs e)

{  // NOTE: e.Identity has the Smart Card Identity extracted by
  // the SmartCardAuthenticationModule  if (e.Identity != null)
    // Write code to take SmartCard information from e.Identity
    // and:
    // 1. Authenticate: Check the user against the user data store
    // and check if they should be authenticated
    // e.g. From Active Directory, LDAP, Custom DB, etc.

    // FOR DEMO PURPOSES THIS HARD CODES IIdentity.IsAuthenticated
    // It may be acceptable to hard code in certain situations
    // where Certificate Trust Lists (CTL) are configured
    // and properly restrictive in IIS
    e.Identity.IsAuthenticated = true;

    if (e.Identity.IsAuthenticated)
      // 2. Authorize: Retrieve roles
      // e.g. From Active Directory, LDAP, Custom DB, etc.
      // string roles[]=
      //   DBAccess.GetRolesByPublicKeyhash(e.Identity.PublicKeyHash);
      // string roles[]=
      //       LDAPAccess.GetRolesByUPN(e.Identity.UserPrincipalName);
      // For Demo purposes, this uses HARD CODED ROLES
      string[] roles = new string[] { "Accounting", "Administrator" };

       // 3. Create a new Principal object using
       // retrieved roles and the Smart Card Identity (e.Identity)

       // This example will use GenericPrincipal, which works well
       // when you don't need a specific principal
       GenericPrincipal genericPrincipal =
                       new GenericPrincipal(e.Identity, roles);

       // 4. Attach the IPrincipal to the e.Context.User OR the
       // e.User to signal he SmartCardHttpModule that
       // authentication has been handled
       e.User = genericPrincipal;
      // NOT AUTHENTICATED, make sure user is null to signal
      // the SmartCardHttpModule that authentication has been
      // handled
      e.User = null;

SmartCardAuthentication_MembershipUserCreating Event

The MembershipUserCreating event is used to override the Smart Card Authentication Module’s default behavior of Membership Account creation.
This event allows control over how membership accounts are created, including information that might also need added to the user’s profile, and whether the Membership accounts are enabled or disabled when created. When using something other than the e.Identity.Name and e.Identity.PublicKeyHash as the Membership username and password, ALSO implement the SmartCardAuthentication_MembershipValidating event as well to make sure Membership.ValidateUser() is called with the correct username and password.
When implementing this event:
  • * When creating the Membership User account, take care when setting the isApproved argument in the Membership.CreateUser() method. Only set it to true if the Identity is from a valid user of the system. Remember, anyone could present a false Client Certificate and attempt to spoof a Smart Card.
  • * Likewise, exercise caution when setting the MembershipEventArgs.Identity.IsAuthenticated property to true for the same reasons outlined above.
  • * After creating the Membership User account, assign the newly created MembershipUser to the MembershipEventArgs.MembershipUser property.
protected void SmartCardAuthentication_MembershipUserCreating(
                   object sender,
                   SmartCardAuthentication.MembershipEventArgs e)
{  // Account doesn't exist, add it  MembershipCreateStatus status;   // In this example, auto-enable the user (NOT USUALLY A GOOD IDEA unless
  // there is data available in back end systems that can validate the
  // Smart Card information as authentic). This is done by setting the
  // 6th argument of Membership.CreateUser() to true.  MembershipUser user = Membership.CreateUser(
                               null, null, true, null, out status);  if (status == MembershipCreateStatus.Success)
    // Success, attach the newly created user to the Membership
    // eventArgs.
    e.MembershipUser = user;

    // Make sure to also set IsAuthenticated to true to signal the
    // Smart Card Module that this user is authenticated.
    e.Identity.IsAuthenticated = true;
  }  else  {
    // There was an error creating the account so throw the error.
    throw new MembershipCreateUserException(status);

SmartCardAuthentication_MembershipUserCreated Event

The MembershipUserCreated event allows implementers the ability to do further Membership account or Profile configuration setup after the Smart Card Authentication Module creates the MembershipUser account using the default Membership Provider.
This event is raised right after the Smart Card Module automatically creates the membership account. This allows access to the automatically created Membership User account and also provides a place to automatically enable the Membership account or to notify the administrator that a new Membership account has been created and that action is required to validate and enable it.

SmartCardAuthentication_MembershipValidating Event

The MembershipValidating event is used to override the Smart Card Authentication Module’s default Membership validation behavior.
The MembershipValidating event provides a place to override the Smart Card Authentication Module’s default Membertship validation routine. This is useful if the Membership Username and Password need to be different than the default implementation.
When implementing this event:

  • * For a successful Membership Authentication, assign the MembershipUser to the MembershipEventArgs.MembershipUser property and set the MembershipEventArgs.Identity.IsAuthenticated to true.
  • * For an unsuccessful Membership Authentication, set the MembershipEventArgs.MembershipUser to null and the MembershipEventArgs.Identity.IsAuthenticated to false.
protected void SmartCardAuthentication_MembershipValidating(object sender,
                     SmartCardAuthentication.MembershipEventArgs e)
{  // Provide new Membership Validation  bool isUserValidated = false;  // Does Smart Card User have a Membership account?  if(Membership.FindUsersByName(e.Identity.Name).Count == 1)
    // Yes, validate them
    isUserValidated = Membership.ValidateUser(e.Identity.Name,
    // account might be marked Inactive, so set the IIdentity to
    // match Membership
    e.Identity.IsAuthenticated = isUserValidated;
    e.MembershipUser = Membership.GetUser(e.Identity.Name);

    if (!isUserValidated)
      // Authentication with Membership provider failed.
      e.MembershipUser = null;
  }  else  {
    throw new ApplicationException("Membership user not found.");

SmartCardAuthentication_FailedMembershipAuthentication Event

The FailedMembershipAuthentication event is fired when an authentication failure occurs for any reason in the Smart Card Authentication Module, whether it’s Membership Auth failure or Smart Card Identity authentication failure.
This can mean one of several things:
  • * Someone provided a Client Certificate or SmartCard that is not authorized to use the site.
  • * Someone’s Smart Card / Client Certificate expired and needs renewed.
  • * The information registered in the Membership database doesn’t match the Smart Card / Client Certificate supplied data.
Since the X.509 certificates expire on Smart Cards and Client Certificates there may be a way to detect and automatically re-enroll User’s new X.509 certificate.
Additionally it may be used to do custom account lockout after several failed logins. If using a Membership Provider, use it’s account lockout mechanisms instead.
protected void SmartCardAuthentication_FailedMembershipAuthentication(
               object sender,
               SmartCardAuthentication.AuthenticationEventArgs e)
{  // Use e.Identity data retrieved from the X.509 certificate and
  // auto-enroll if able to verify the new X.509 certificate data.

  // At Minimum, log failed log-ins and perhaps incorporate it into
  // workflow for re-enrolling users with expired certificates.}

Custom Unauthorized Page

To display a custom 401 Unauthorized page, include it in the customErrors node of the web.config like so and unauthorized users will be re-directed to it.
<?xml version="1.0" encoding="UTF-8"?>
    <customErrors mode="On" >
      <error statusCode="401" redirect="Unauthorized.aspx"/>
Make sure to grant access to anonymous users to the Unauthorized page in the web.config:
<?xml version="1.0" encoding="UTF-8"?>
  <location path="Unauthorized.aspx">
        <allow users="?" />
        <deny users="*" />

Download Source

You can download the source here.

Comments, questions, feedback, and feature requests welcome. Also if you run across any bugs let me know.


  1. Hi I was following along to I am having a problem I believe with the setup. I have annonymous access enabled for my website however I still get prompted for a domain username and password after I select a certificate. Any idea on why that would happen? Thanks

  2. I have one thought right off - have you granted the IUSR account read access to the web folder? Windows File/Folder ACL's are still enforced even with anonymous access so IUSR will need access to the folder. Let me know if that does it!

  3. Great Work! Is there any way to avoid the client certificate store from caching the cert? Is this a function of the CSP? I think it would be much more useful if it just read the cert without enrolling on the client.

  4. As it turns out, I misintrepreted what was happening. Resolution was two fold: the CSP was set to cache all client certificates, and IE was prompting for the user to select a certificate because it found more than one. By disabling certificate caching in the CSP, IE now only presents the selection box if more than one certificate is present on the smart card.

  5. Is this designed to work with ASP.NET 2.0?

  6. How are the client certificates included used? If I try to load them, they ask for a password yet I cannot find one in your blog.

  7. Oops, i thought I included that somewhere. I believe the password is 'password' . Let me know if you have issues.

  8. The password is indeed password. Can't believe I didn't try that, hah.

  9. I have 1 problem, and I'm pretty sure it's with my IIS setup or my web.config file. IIS is giving me Access Denied errors if I try and browse in the root of the site or virtual folder but browsing to a folder contained within (admin) works just fine.

    For example: = fail = OK
    for a user in "Administrator" role.

    The same applies if I have domain like

    This is using your "SmartCardAuth" project.

    A user not in the membership database is allowed to browse default.aspx or enrolluser.aspx.

  10. Hmm, difficult to say.

    Have you allowed anonymous access to the root of your site in the web.config?

    For example:
    <location path="/">
          <allow users="?" />

  11. Hi.

    Nice post, thanks.
    But I don't get how you manage to send commands to a reader that is on the client side ? I can see no activeX control or anything related... What does the client receive that makes its read send information ?

    Thanks in advance

  12. It's all transparent to the Web Application. The OS and Web Browser handle the reading of the Smart Card natively and presents the X.509 cert to the server.

    Here's a basic representation of what happens:
    0. User requests access to SSL/TLS Site that requires Client Certificate.

    1. Web Site attempts to establish an SSL/TLS connection with the web browser and requests a Client Certificate.

    2. The web browser checks the local certificate store (either the OS cert store or Browser store depending on what browser you are using) for any certificates that have the Enhanced Key Usage attribute set to Client Authentication (OID:

    3. The browser than presents a list of these certificates to the user to select the one they would like to use to establish the SSL/TLS connection with the server.

    4. If the user selects one that is associated with a Smart Card, the OS / Middleware takes over and prompts for the pin (or uses cached pin) and reads the X.509 cert data needed from the Smart Card.

    5. The Server and Browser establish a SSL/TLS connection and the clients' X.509 certificate is then included in the HTTP request headers and sent to the server.

    6. The X.509 Certificate can now be accessed by the Web Application.

    If data that isn't contained in the X.509 certificate needs read by the web application than you would need to write an ActiveX.

  13. Using IIS 5.1 and VS2005, I added the DLL to the project and the proper Web.Config entry but I get this error:
    Object reference not set to an instance of an object.

    I took the DLL out and added the source and the error comes up on this line:

    Line 160: if (membershipArgs.MembershipUser == null)

    in SmartCardAuthenticationModule.cs

    Any hints on what could be causing this? Is it just using VS2005/IIS 5.1 instead of something newer?

  14. Adam, you have ASP.NET set to use the 2.0 framework?

  15. If I change
    if (membershipArgs.MembershipUser == null)
    if (membershipArgs == null)

    It doesn't throw the reference and it seems to create the user but it throws another null object exception on line 142:
    this.FailedMembershipAuthentication(this, e);

    Going the other direction the whole reason membershipArgs is still null is something doesn't happen here:

    if (this.MembershipUserCreating != null)
    membershipArgs = new MembershipEventArgs(e.Identity, e.Context);

    this.MembershipUserCreating(this, membershipArgs);

    Since I'm using IIS and not VS2005's built-in webserver I can't add in breakpoints to see exactly what is going on.

  16. I had this same problem, fixed it, now it's happening again.

    I thought it had to do with a missing global.asax file. I'm having the problem again, though, with the global.asax file. I'm baffled why this problem came back.

    It only occurs if I use a client certificate not associated with a membership user (so it would be the first time using the certificate)

  17. OK, I fixed the problem again. This time by copying the web.config file from the SmartCardAuth project to my project. I can't figure out what the differences are.

    I'm still certain this problem is caused by not having the global.asax file. If I take my working application, comment out parts of the global.asax file, then it breaks again.

    If the global.asax file isn't there, with the smartcard events, then this.MembershipValidating is always null and MembershipArgs never gets created.

  18. This comment has been removed by the author.

  19. In the IsCertificateHashValid function, it seems to be looking at SignatureAlgorithm to determine which hash algorithm to use (SHA1, SHA256, MD5). However, the hash that it looks up is the Thumbprint, and it doesn't seem like there's any way to determine Thumbprint Algorithm from X509Certificate2.

    I have a case where these do not match, my SignatureAlgorithm is MD5, but the Thumbprint Algorithm is SHA1, so this function always returns false. I removed the switch/case and just use SHA1, since all of the Thumbprint Algorithms I've seen so far have been SHA1, but I'm sure there's a better way.

    Thank you.

  20. I now have this working on an internal project at my work. I removed all code that checks to see if there's code running from the global.asax (the lines that break) since I have no need for custom code. For some reason, the chain validate is always false on my server. Not sure why, I'll have to get the server admins to check that. It took them a while to get the certificates on the server in the first place.

    I'm not sure if this solution is better than certificate mapping on an intranet site, but it makes more sense to me for locking access down to only a few users.

    Anyways, great code and it's very handy. I've learned a lot from it as well.

  21. Hi there,

    I have a simple question about client certificate authentication.

    Our site works on ssl and supports both forms authentication and smart card authentication. Any user can supply username/password and login to our site and use it on ssl. The same user may use his smart card to login too.

    The login page is delivered to the user via ssl which means a secure connection is already established at the time of login. According to what i understood from your reply at August 02, 2010, if the user tries to login the site via smart card, a new secure connection is established between the server and the client using the information (private key probably) on the smart card and the certificate related to it. This whole process is done by IE and IIS. I wonder if what i understood is true.

    Thanks for the great work and any help you can provide.

  22. hi, thanks for your work!!!
    I am asked to write a web application that can read smart card and your post is the best one I can find!!
    But I have a stupid question...How can I test this web application? I have set up everything, and all I need is just to test it...Would somebody please provide me some ways to test this?

    ps: there are one .cer file and two .pfx files in your source file, what's the purpose of there files? How can I use them?

  23. OrangeApple - thanks!

    Couple of things...and I apologize there aren't great instructions for setup...

    1. You must host this web site in IIS. The Visual Studio built in web server doesn't have certificate support.

    2. Launch the Import the certificates into your certificate store using certmgr.msc - This will open the User Certificate Store in Windows. Make sure you put these in the Personal folder. These are the certificates I generated to that you can use to authenticate to the web site with. you could just as easily generate your own.

    3. If you're running on Windows Vista / Windows 7 / Server 2008, you have to explicitly install the certificate features. "Client Certificate Mapping Authentication" and maybe "IIS Client Certificate Mapping Authentication" - it's been a bit, you may only need one of those.

    4. Read through this article on IIS setup and configuration and hopefully it will fill in some of the missing pieces:

  24. Jason,

    First, Thank you for providing a detailed article for Smart Card Authentication.

    I have downloaded and installed the code and it works fine. Although, I think the following are the requirement for the application to work

    1. SQL Server Express on the Server.

    2. Our server has .NET framework 4.0 installed and the SmartCard application is configured to use 2.0 application pool which is configured as 'Integrated' in Managed pipeline mode. The 'Classic' mode throws an error, are there any compatibility issues?

    Is the assumptions correct?


  25. You need SQL Server with the ASP.NET membership tables configured. I've succesfully used it on SQL Server 2005, 2008 and the Express versions of both. You can configure the tables by running the tool aspnet_regsql.exe located in C:\Windows\Microsoft.Net\Framework\. Note that with .NET 3.5, you use the tool located in the .NET 2.0 framework folder.

    I haven't had any issues running the code with .NET 2.0 in 'Integrated' mode. My production server is IIS6.0, so 'Classic' mode shouldn't cause any problems related to the smart card code.

  26. Thanks for the response.

    I like to avoid using the profile, membership or roles association with the authentication process. Is that possible?

    If so, I can avoid SQL server installation in the server, correct?

    Regards, Karthi

  27. Jason,

    First of all, many thanks for the work!

    Now, I do have a small problem(..). I can't get the SmartCardAuth project to work. When I try to run the sample, I get the following error: "Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'SmartCardAuthentication.SmartCardIdentity'". Now, I'll be the first to admit I'm new to all this, but I can't figure out why I get this error.

    Any help is very welcome!

  28. If you are getting a GenericIdentity it sounds like the HttpModule isn't setup properly.

    Enumerate the loaded HTTP Modules and make sure the SmartCardAuthentication.SmartCardAuthenticationModule is loaded. You could also put a breakpoint in there to see if they are being triggered.

  29. Loaded HTTP Modules includes SmartCardAuthenticationModule, but so far, I still get the same error. Any more suggestions?

  30. Eric, do you plan on using this with the GenericIdentity (as documented above?) - if so you probably need to fix a Cast in your aspx page. instead of casting to SmartCardIdentity, cast it to GenericIdentity.

  31. Well, no. I want to authenticate users of my web-application using their smartcard, so I think I need the SmartCardIdentity. I want to link users+roles as well.. Any help would be appreciated.

  32. I currently have a forms authenticated (username/password) site. The users are currently being authenticated to Active Directory. In this site the user is able to add/edit/delete AD users if he or she has the correct permissions. The users would like to include the option of logging in with their smart card. I was looking at your solution as a base to get started with this requirement, but I cannot wrap my head around how to tie the smart card authenticated user with an active directory user. Any tips would be appreciated.

  33. I would suggest looking into adding onto the default membership. Try adding the necessary smart card properties to the MembershipUser class. This would allow you to have the necessary information for forms auth and smartcard auth without affecting accounts.

    Here's some resources that could help explain better:

  34. Can't download the source code...broken link

  35. Jason, I'm building on a working reference implementation and have come across a snag. It seems that if the smart card is present in the reader when I browse to the site, everything works great. If the smart card is inserted into the reader after SmartCardAuthentication module is loaded, I get "Unable to cast object of type 'System.Security.Principal.GenericIdentity' to type 'SmartCardAuthentication.SmartCardIdentity'." The only method I have discovered to correct the problem is to close all instances of IE, and browse to the site with the smart card inserted. Is there a way to reinit the module without closing the browser? Secondarily, is there a method to dispose of the authenticated user? i.e. swapping smart cards will display the certificate information from the initial card until IE is restarted. Thanks!

  36. thanks for the great work! .. and help me to complete a web site: i'm not very familiar with smart card authentication so i intercepted all the above problems. is it possible to ask you to have a little web site application project all configured with your module that have only the objective to display card info inserted? help, please. however very impressive work!

  37. Jason, Thanks for the article. I have the application working on my test setup. Although I don't have very good understanding of how all this is working. One thing that I am trying to figure out is, does user need to be on the same domain as the IIS server to authenticate? I don't have a way to test this case in my current environment. Could you please help me understand this?

    Also, is there a way to test out expired certificate? I am assuming I can import an expired certificate into IE store and test it. Is this correct?


  38. Jason, Thanks for the article. I have the application working on my test setup. Although I don't have very good understanding of how all this is working. One thing that I am trying to figure out is, does user need to be on the same domain as the IIS server to authenticate? I don't have a way to test this case in my current environment. Could you please help me understand this?

    Also, is there a way to test out expired certificate? I am assuming I can import an expired certificate into IE store and test it. Is this correct?


  39. I've implemented the package into my MVC test project, I have everything setup to the point it is reading the card, firing the authenticate event in global (to assign test roles because i'm not using the roles), and it fails on the call to attribute [principalPermissions(...)]. It fails with the following exception:

    Exception has been thrown by the target of an invocation. at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck) at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark) at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache, StackCrawlMark& stackMark) at System.Activator.CreateInstance(Type type, Boolean nonPublic) at System.Activator.CreateInstance(Type type) at System.Web.Mvc.DefaultControllerFactory.DefaultControllerActivator.Create(RequestContext requestContext, Type controllerType) Method is only supported if the user name parameter matches the user name in the current Windows Identity. at System.Web.Security.WindowsTokenRoleProvider.GetCurrentWindowsIdentityAndCheckName(String userName) at System.Web.Security.WindowsTokenRoleProvider.GetCurrentTokenAndCheckName(String userName) at System.Web.Security.WindowsTokenRoleProvider.GetRolesForUser(String username) at System.Web.Security.RolePrincipal.IsInRole(String role) at System.Security.Permissions.PrincipalPermission.Demand() at System.Security.PermissionSet.DemandNonCAS() at NECSupply.Controllers.HomeController..ctor()

    I did notice if I move that attribute from the homeController to the index action it simply displays the default MVC error (my guess would be because I haven't setup the custom unauthenticated page yet). Main point is when put there I no longer see the raised event.... thoughts anyone?

    Greatly appreciate any and all help! Thanks!!

  40. Ok I figured that issue out, I had the Role token principal enabled in web.config. Next issue heh... Using this in MVC it doesn't seem to be utilizing the "HandleUnauthorizedRequest" feature, I am assuming that is because I have overrided the default authentication type in global with the authenticate event.

    Any suggestions on how to modify this module to utilize a custom view for unauthorized visits? Right now it just raises the "Request for principal permission failed" error.

    Thank you for the help!