support  |  log in
learning center  >  BLOG POSTS  >  CAC Authentication

Blog Post

CAC Authentication

Getting everyone into cairs.net and Subscriber Portal (SP) can be a challenge when not all of the users are on the same domain.  Anyone that has users on a different domain that can connect to SP or cairs.net through CEDC but have no Windows Login, there is now a solution – CAC Authentication.  Both cairs.net and SP can now be set up to authenticate users through their client certificates on their CAC Cards.

For SP subscribers, the certificate information has been added to their subscriber record.  For cairs.net users, there are now two types of user records under System Admin > Security.  These menus are Users – Windows, and Users – Certificate.

For these two user types, any user that is not in the system will automatically be added as a new user, and they will not have permission to log in.  To give the user permission to log in to cairs.net, go to the New Users view, open the user record, and change them to an authenticated user.

For Windows Users, uncheck the New Unauthorized User checkbox, and assign appropriate permissions.

For Certificate Users, change the User Status to Authorized, and set appropriate permissions for that user.

Here are some things that need to be set up for this to work:

·         Configure HTTPS in IIS

·         Require Client Certificates in IIS

·         Turn on only Anonymous Authentication in IIS (optional but recommended)

 NOTE:  The certificate will authenticate the user.  This will be managed by cairs.net or SP.

·         Change the new Security Type setting in cairs.net.

For those of you interested in the details, here they are.  All of these steps are written for IIS 7.5.  If you have an earlier or later version of IIS, these steps may be different.

Configure HTTPS in IIS

In order to configure HTTPS, you will need a Server Certificate issued by your certificate authority.  Unique Communications cannot generate these certificates because the Client Certificates on the CAC cards must be issued by the same root certificate which can only be done by the certificate authority.  If you do not have a server certificate for your server, then you will need to request one.  This certificate is keyed to your server and public URL so that anyone connecting to your server knows that it can be trusted.

Once you have the server certificate, you can configure HTTPS.

Installing the Server Certificate

If you have not already installed the Server Certificate on your server, you must do that first.  If you have already done this, please skip to the next section.  Server Certificates are installed from the Home page of IIS under IIS > Server Certificates.  Open this feature and click the “Import…” action.

Edit Bindings for the Web Site

The final step of enabling https is to add a binding for https. If you have already added the binding for HTTPS, you can move on to the next step.  You must add the binding to the web site, and NOT to the applications below the web site.  From the Connections pane, go to the web site > Right Click > Edit Bindings …

From the Site Bindings, click first make sure that https is not already configured, and then click the “Add…” button.

For the Type, you must select “https” then you must select your SSL certificate.

At this point, you should be able to access both CEDC and SP using HTTPS.

Require Client Certificates in IIS

Once HTTPS is configured and working, the next step is to require client certificates in IIS.  This is done at the application level.  From the connections pane, under the web site, CEDC and SP should be installed.  Click on CEDC and look in the features view under IIS.  Click on the feature button for SSL Settings.

“Require SSL” must be checked, and Client Certificates must be set to “Require”.

At this point, when opening SP or CEDC, the browser should ask the user for a certificate.

Turn on Only Anonymous Authentication in IIS

Since cairs.net or subscriber portal will authenticate the user with their certificate, there is no longer a need for other forms of authentication.  However, you may wish to leave Windows or Forms authentication on for the following reason:  You may wish to transition your existing users from one of these other authentication mechanisms to certificate authentication.  If both certificates and another authentication mechanism are used, then cairs.net can be configured to transfer the permissions from the old user record to the new one. Further discussion on this topic is in the last section of this blog post (Change the new Security Type setting in cairs.net.)

To turn on only anonymous authentication, do the following:  From the connections pane, under the web site, CEDC and SP should be installed.  Click on CEDC and look in the features view under IIS.  Click on the feature button for Authentication.

In the Authentication view, disable everything except “Anonymous Authentication”

Change the new Security Type Setting

In cairs.net, there is a new system setting called “Security Type”.  This setting turns on certificate authentication in both cairs.net (CEDC) and SP.  The possible values for this setting include Windows, Certificate, and Mixed.  Here is a description of the setting directly from the System Setting Description in cairs.net:  “Determines which type of security cairs.net uses.  The available options are Mixed, Windows, and Certificate.  Windows allows Windows authentication only. Certificate allows Client Certificate authentication only. Mixed allows for all types of authentication that cairs.net supports.  In this mode, cairs.net checks for a certificate first, but will check the windows credentials if the certificate has never been authorized in cairs.net.  If the certificate is Revoked, cairs.net will prevent login and will not check the windows credentials.”

In order to transition from one mode of authentication to mixed mode, choose Mixed.  Any user that logs in to cairs.net or SP will have their permissions automatically transfer to their certificate user record.  Once all users have logged in and transferred their permissions (which is automatic at time of login) it is recommended that this setting be changed to Certificate, and that only anonymous authentication be turned on in IIS.  This will allow users that could not get into cairs.net to get in using their certificate.

 

Other Unique Sites

 

Unique.net 

 

Cairs Blog 

 

FTP Site

 

 

                          

 

 

Unique.net Pages

 

Our Products

 

About Us

 

Support

 

Cairs Blog

 

Contact Us

 

Learning Center Pages

 

Learning Center

 

Role-Based Training

 

Training-Courses

Support

 

Contact Us

 

Report a Trouble

 

Request a Feature

 

 

 

© Unique Communication Solutions 2012