tag:blogger.com,1999:blog-16736742.post2606868264964996079..comments2010-03-05T22:57:41.673-05:00j. montgomery, CISSP, GNET, GSEChttp://www.blogger.com/profile/12993686496556355666noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-16736742.post-45012275959196087622010-02-07T06:22:51.780-05:002010-02-07T06:22:51.780-05:00Hi<br /><br />Is it spossible to somehow use this solution and to have ASP.NET web application that will use ADFS 2.0 as STS and automatically authenticate users that have inserted their Smart Cards. ADFS will authenticate users agains AD.zokihttp://www.blogger.com/profile/04395343526683568053noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-761188114587774012009-07-25T15:21:40.249-04:002009-07-25T15:21:40.249-04:00yep, you are correct - it&#39;s a mistake, - you can download the sample code linked from this post here:<br />http://securitythroughabsurdity.com/2007/05/sample-code-authentication-and.htmlj. montgomery, CISSP, GNET, GSEChttp://www.blogger.com/profile/12993686496556355666noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-65103878744545783792009-07-24T22:52:15.030-04:002009-07-24T22:52:15.030-04:00While I am intrigued by the usefulness of something like this I am bother by many different things. First your C# code is wrong. Instead of Me it should be this. Also I make the changes to my web config file as instructed and the page won&#39;t compile. Another annoyance is where is the source code that I can download?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16736742.post-54348849351654300912007-10-24T21:41:49.277-04:002007-10-24T21:41:49.277-04:00> I was wondering if we can <BR/>> acheive this just by IIS<BR/>> configuration changes <BR/>> instead of any code change <BR/>> in the app<BR/><BR/>Depending on your requirements, you can get away with no code changes! If all you just need to do is verify that a smart card is signed by a specific Certificate Root Authority (CA) for authentication only, then you can configure that in IIS and shouldn't need to make any application changes.<BR/><BR/>If you need to do authorization/role validation then you will have to make some code changes or setup Smart Card to map to Window accounts and use windows Groups to limit access....j. montgomery, CISSP, GNEThttp://www.blogger.com/profile/12993686496556355666noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-33190743987868921092007-10-22T09:06:00.000-04:002007-10-22T09:06:00.000-04:00Hi,<BR/>We have a web application [VS 2003] using windows authentication. We need to implement smartcard authentication for that application. I was wondering if we can acheive this just by IIS configuration changes instead of any code change in the app. Can you please help us in this?Tamilarasanhttp://www.blogger.com/profile/04371376522031749979noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-66133513978859854892007-09-18T13:59:00.000-04:002007-09-18T13:59:00.000-04:00In our scenario, we will have smartcard certs mapped to windows accounts in AD. Is there anyway to tell that they user used a smartcard and not their username/password to authenticate on the local machine?<BR/><BR/>Thanks to HSPD12, we have been mandated that we will only use smartcards.Automatonhttp://www.blogger.com/profile/16730928079190124343noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-14551356708277075982007-07-26T00:35:11.556-04:002007-07-26T00:35:11.556-04:00> Do you have any info on how to <BR/>> implement RSA SecureID token <BR/>> authentication with ASP.net.<BR/><BR/>I'm very curious about this as well - let me do some research and get back to you!j. montgomery, CISSP, GNEThttp://www.blogger.com/profile/12993686496556355666noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-10890954162737355592007-07-25T13:58:00.000-04:002007-07-25T13:58:00.000-04:00Hi J,<BR/><BR/>Thanks for your article. Our company wants to implement 2 factor authentication.We decided to use USA token instead of smartcard for the reason of not tampering with user computers. We use ASP.NET 2.0 with C#. Do you have any info on how to implement RSA SecureID token authentication with ASP.net. Do we need forms authentication along with this. Currently, we are planning to.<BR/><BR/>I appreciate your response.<BR/><BR/>Thanks, <BR/>KattaAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-16736742.post-30302521069283344492007-04-30T16:33:40.153-04:002007-04-30T16:33:40.153-04:00I considered that, but I have some problems with that scenario:<BR/><BR/>1. A lot of our users who need to use this system are NOT in active directory.<BR/><BR/>2. Management overhead. Adding 1-to-1 mapping of several thousand users is a logistical nightmare.<BR/><BR/>3. Last, but not least, you have to know each users password setup their certificate to AD mapping. This deminishes security as someone needs to know all the users passwords other then Active Directory.<BR/><BR/>For a smaller implementation, what you suggest is very reasonable, but for a large enterprise it doesn't scale well.j. montgomeryhttp://www.blogger.com/profile/12993686496556355666noreply@blogger.comtag:blogger.com,1999:blog-16736742.post-78201010788718535642007-04-30T15:53:00.000-04:002007-04-30T15:53:00.000-04:00Hey, j. montgomery!<BR/>Very thorough work!<BR/><BR/>You may look into simpler solution where the client certs are verified by IIS, then certs are mapped to windows accounts - no need for AD, and then role based authorization is applied either via URL authorization or principalpermission attribute<BR/><BR/>Here is how it can be done for web services:<BR/><BR/><BR/>http://blogs.microsoft.co.il/blogs/alikl/archive/2007/01/29/SOA_2C00_-Strong-Authentication_2C00_-Standard-Authorization-_2D00_-Cool-Solution.aspxalik levinhttp://blogs.msdn.com/aliklnoreply@blogger.com