Re: AD Authentication using smart card

---

• From: iguchiyu@xxxxxxxxx
• Date: Tue, 07 Aug 2007 16:35:23 -0000

---

Hi Dave and John

Thanks for your replies. I am sorry that i did not explained my
question in good way.

Actually presently i have a client application which ask for windows
domain username and password.

This username , password and domain are sent encrypted using session
key to the server and the server authenticates the username , password
and domain using the

LDAPPATH = LDAPPATH + Domain;
DirectoryEntry entry = new DirectoryEntry(LDAPPATH,
domainAndUsername, Password);
try
{
// Bind to the native AdsObject to force
authentication.
Object obj = entry.NativeObject;
DirectorySearcher search = new
DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + Username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
LDAPPATH = result.Path;

kind of function.

The client machine can be linux machine/unix machine/windows/mac
machine.

So i want to keep the authentication on the c# server . Till now my
application was supporting ADauthentication using username and
password.

Now i want Ad Authentication using smart card.

Thus smart card is at linux machine and c# server is in windows 2003
server. Now if some one uses smart card on linux machine i want to
authenticate from my server. How can i do the same ?

What information from the smart card should be passed to server so
that server is able to verify the smart card ad authentication.

Regards,
Y Iguchi

On Aug 6, 8:09 pm, DaveMo <david.mow...@xxxxxxxxx> wrote:

On Aug 4, 8:00 pm, iguch...@xxxxxxxxx wrote:

Hi,

I just wanted to know is it possible to use smart card authentication
for my application.

I have an client application in vc++ and server in c#. The application
takes in input the username, password and domain name.
First this inputs are sent to my server application and the server
authenticates them from the active directory. After successful
authentication , depending on the username some information is
provided to my client application.

Now i want to add the smart card authentication support in my
application. I want that user inputs the smart card and smart card
information is sent to the my server.

I think following steps are desired
1. Decrypt the certificate present in the smart card.
2. Send this certificates to my server application
3. Use this certificate to authenticate from AD.

Am i thinking right ? Is it possible to do the same ?

What is the format of the certificate ? Are there any functions
available in ADSI or windows sdk for the authentication using
certificate.

Am i missing something

Y Iguchi

Y Iguchi,

Fortunately, this is very easy to accomplish. What you want to do is
use SSPI and the SChannel security package which implements SSL/TLS.
An option on the server side of the connection is to require client
authentication which requires a certificate. Once the use is
authenticated you can examine the certificate details and make sure
that it is a smartcard certificate. You can also make sure that the
certificate is issued by a particular CA if that would help.

While you are working on the authentication layer of your application,
you should also consider supporting Windows-style username/password
authentication using SSPI and the Negotiate package which wraps
Kerberos & NTLM.

I think there is some SSPI support in the newest version of .NET for
your C# server, but worse case is that you'll have to p/invoke the
native calls.

It may seem like a lot of work at first glance to use the Windows
security packages, but believe me in that you don't want to try and
roll your own PKI-based authentication mechanism. There's a reason
that SSL is on version 3 of the protocol - it's hard to get it right!

HTH,
Dave

.

---

• Follow-Ups:
  • Re: AD Authentication using smart card
    • From: DaveMo

• References:
  • AD Authentication using smart card
    • From: iguchiyu
  • Re: AD Authentication using smart card
    • From: DaveMo

• Prev by Date: Certificate Install Problem
• Next by Date: Re: CertEnroll - InstallResponse in .net
• Previous by thread: Re: AD Authentication using smart card
• Next by thread: Re: AD Authentication using smart card
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Need help configuring Wireless Connection profile ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ... (microsoft.public.windowsxp.general) Re: Need help configuring Wireless Connection profile ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ... (microsoft.public.windowsxp.general) Re: OWA 2003 w/ Smart Card Authentication. ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ... (microsoft.public.exchange.connectivity) Need help configuring Wireless Connection profile ... I have an SBS 2003 server and a Server 2003 member server set up using RADIUS ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP ... Certificate Services ... (microsoft.public.windowsxp.general) Re: Need help configuring Wireless Connection profile ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2007-08