SharePoint and SmartCards (CAC Cards)

Have you worked with SharePoint and SmartCards?

I have, as in most military / federal environments you will find that users generally access your SharePoint instance through the use of a CAC (Common Access Card) card. It is the same as any other SmartCard just a little more jazzed up in general with some other information appended on it, nothing tremendously real fancy. Here is an example of a CAC card taken from the army .mil website:

The methodology and purpose between a CAC card and a SmartCard are pretty much the same. They are used so that a user can authenticate to all sort of client certificate aware objects. Within federal spheres though, CAC cards are generally mandatory.

But with SharePoint, SmartCards kind of are annoying. There are some caveats to setting up your environment within SharePoint in regards to maintaining CAC compliance, some which can be handled using inherent IIS settings, others, well, require custom development.

For a lot of people, the implementation of Smartcard security architecture into their SharePoint environment can be a relatively painless one. If you know that all of your users have Active Directory accounts, then you are ready to go, as doing some configuration in IIS will get you most of the way there. The way that this can be done is through a concept called client certificate mapping. Client certificate mapping will basically query for the client certificate off of the Smartcard, and map that to a pre-existing Windows account. In essence, this is not much different than the configuration that you end up with when using Integrated Windows Authentication since you will will still have valid Windows identity to put comparison operators against. If this is your case, the problems that you will run into are inherently bound to IIS. You biggest change is in the IIS metabase, since you will have to manipulate the metabase property that orchestrates SSL client connection negotiations. Meaning, you will tell SharePoint to always negotiate the certificate, which will help resolve client certificate re-negotiation deadlocks. This is done by setting the SSLAlwaysNegoClientCert Metabase Property to true.

While this works, it is not my ideal situation for large environments. I have many users that although have CAC / SmartCard cards that will not exist in the Active Directory tree that I can program against. This presents a large problem for me because my mapping will fail as the comparison operator will consistently pull a false value upon the matching return. I also can’t really imagine the implementing any type of management that would be beneficial in this type of scenario, because I would have to know the users password, which for a typically military unit, can be mammoth. Along those same lines, I would have to actually setup my 1-to-1 mapping scenario. I don’t want to undertake this task in any way share or form. If I went that route, I would be stuck with a management scenario, that would for the sake of a better word, become unmanageable.
Fortunately, through the use of ASP.NET it is possible to inject things in the ASP.NET request stream. This is a good thing. With several authentication methods that are offered in the realm of SharePoint, they are implemented as HTTP modules. For example, if you are using FBA with your SharePoint instance it is going to be using HTTP modules as well.

How an HTTP module works is pretty simple. Firstly, a SharePoint web request will be submitted to IIS. That web request will be mapped to ASP.NET, which will parse the page through the ASP.NET 2.0 engine which in essence is a web request hand-off. This is where the HTTP module comes into effect. Once the web request is handed off to ASP.NET there will be a query into the HTTP modules that exist in the configuration files on the server to determine if any should intercept and possibly manipulate the request. Although only certain modules may take effect, all the HTTP modules that are available are loaded.

If you want to see this in action, you can display the HTTP modules that are currently being instantiated from your SharePoint site through some small code using the Context.ApplicationInstance.Modules collection within a WebPart OnLoad event.

In the next post in this series, I will talk about how we can solve this issue through the construction of a custom HTTP module, and how we can manage our client certificates through database storage as opposed to relying on Windows Accounts. Following, we will see how we can exploit this concept further to implement a custom role provider that will plug into the HTTP module in order to provide a mechanism to redirect users whom don’t subscribe to a role to a default anonymous site, as well as implement strongly named  roles for the SharePoint environment.


39 thoughts on “SharePoint and SmartCards (CAC Cards)”

  1. This can also be accomplished by using ISA 2006 to verify the CAC to DoD and then either pass an anonymous request to the SharePoint Farm or map the account to AD and then pass a Kerberos ticket to the SharePoint Farm using Kerberos Constrained Delegation. It is a pretty slick zero code solution.

  2. That’s what I have used in some circumstances, and this way in some others. There is a sunk cost with ISA from both the hardware, implementation, and management perspectives that make some segments of the DoD somewhat wean away from it as a solution.

    I haven’t tried 100% what I am describing here through ISA (i.e. mapping non-AD users from CAC / SmartCard interrogated information), but I will look into giving it a shot.

    I do like using Kerberos generally in the way you describe it though because of the speed considerations and working with the TGT’s to build a more uniform sign in environment for other applications.

  3. Hi I am also working on a military site and I am trying to require cac authentication on my sharepoint site and I am having a lot of problems. The closest we got was where users were asked to authenticate twice with the cac cards. By any chance did you document your procedure in setting this up?

  4. I don’t really have a step by step process that is out there because the architectural differences between environments can be so vast.

    How exactly are you doing your authentication? Did you just check the IIS settings to accept client certificates?

  5. Adam,
    Great post; I’m eagerly anticipating the “next in the series”. A task similar to the one you describe was given to me as, essentially, my introduction to SharePoint, CAC, Active Directory… you name it, I haven’t worked with it yet! (So I apologize if I misuse terminology or otherwise betray incompetence.)
    Basically, the users will need to be able to log in via their username/password or via CAC (from offsite or out-of-forest AD), with username/password and offsite CAC winding up as the same user.
    I have a handle on implementing an HTTP module and how non-AD users will work, but I’m very stuck on figuring out how to associate the authenticated CAC to an AD entry. I know you’re all different kinds of busy, but I would be greatly indebted for any advice you can offer. Thanks!

  6. Hello Adam,

    I am trying to set up CAC card signing for InfoPath 2003 forms on a SIPR SPS 3.0 environment (which we currently do not sign on with a CAC).

    Any help would be appreciated or a point in the right direction. I am not a coder… yet… but I am a quick study.

    I am a Multi-Media Illustrator by MOS, but a InfoManagement/Automation guy in practice.

  7. Adam,

    Thank you for this post. It addresses many of the issues I face. I am currently implementing a SP Portal for an USAF ACC client, with geographically seperated units around the country and in different commands. The AD info is not shared between commands, so I have had to use FBA. My question is this: Is there anyway to determine identity from the CAC card? How would I map that identity to a role in my FBA role provider? Eliminating the username/password process would be a HUGE plus to the client, but I’m not sure it’s possible. If it’s not, then there isn’t any real point in dealing with the CAc card at all.
    I sincerely appreciate your help in pointing me in the right direction.

  8. We have situations where a user has two different CAC’s with the same UPN. One CAC is there Navy Reserve CAC the other is their civilian CAC. The UPN is AD has to be unique so this person can only have one account but needs two. Is their a solution and has anybody else run into this situation?

  9. Adam,
    Great Post! I have a requirement for CAC card signing in for SharePoint server 2007 (MOSS). Any help with ISA Approach or FBA in detail.
    Thanks in advance

  10. I have set up CAC authentication through our ISA 2006 array to our ‘MySite’ and the regular portal, but I am having issues enabling CAC authentication to our anonymous site. I have gotten it to work internally with a many-to-one authentication model, it’s just having an external user hit our ISA 2006 array that is causing me issues. Any insight would be greatly appreciated!!

  11. Hey Adam,

    Great post! It’s always at the top of the Google results for CAC/Smart Card and SharePoint. :-)

    Got any updates regarding the HTTP module or the possibility of using a Membership provider?

  12. Excellent post. Describes exactly what I need to do for an Air Force Space Command SP implementation. Have you done the follow-up post.

  13. I am trying to implement Authentication & Authorization with CAC’s in SharePoint. I have put a custom httpModule in the pipeline for my SharePoint portal, but if I so much as try to read the context.Request.clientCertificate.isPresent() value, the portal crashes so hard that I have to restore from backup. The same code works when I put it in the pipeline of a non-SharePoint, Html site. Has anyone seen anything similar? Has anyone gotten this to work?

  14. I have finally figured out the solution to my problem of publishing an anonymous sharepoint site while requiring a valid CAC to visit. If anyone is having this issue feel free to contact me so I might be able to help out!

  15. Hi Noni,

    I am trying to implement an anonymous sharepoint site with valid CAC card. Can you email me how did you do that?


  16. I am in the process of writing a configuration guide that will save days/weeks/months of sweat, tears and nightmares!

    On another note I am a dude, a quite masculine one at that!

  17. Sorry it’s taking so long…i fractured my wrist and dislocated a finger so things have been moving slowly. I should have it done very soon, sorry for the delay!



  18. Noni,

    I saw the article you wrote titled CAC Enabled Anonymous Sharepoint Sites, however is that the follow-up to this article, as it didn’t mention the HTTP Module at all. If not can you point me to the article.

  19. I have been using CAC Cards by simply geting the User Name from parsing the server variable CERT_SUBJECT and then comparing that name to names in my web application’s database. So far, it works). I haven’t had two users with the same name. But when the certificate gets chaged or misnamed, CERT_SUBJECT comes up blank.

  20. I need to implement smart card authentication to AD users and password auth for external users on the same web app… Can anyone give me a piece of advise how to do that? :)
    I know how to do that with different web apps, but not with one :(

  21. Has anyone attempted this with an External Certificate Authority for non-DoD users? We are in the process of looking into this and wanted to get some level of the difficulty we are going to have to deal with.


  22. I know the original thread is a bit dated. but DoD has for the most part standardized on ISA for CAC, originally specifically for OWA and now for SharePoint/MOSS. The is even a DISA STIG (Security Technical Implementation Guides) for this. See here: and here Curretnly Microsoft’s Intelligent Application Gateway (IAG) and it’s future version Unified Application Gateway (UAG) are being looked at to address this as wel as other remote access needs. Again a no code solution. DoD custer have access to the Setup/build docs from DISA.

    There are several more recent papers on the topic of KCD see here:

    Kerberos Constrained Delegation in ISA Server 2006

    The CAC for OWA setup/Build documention was developed and written by the authors of this article— (the same approach has been leverage for use with SharePoint / MOSS and more)

    Log onto Outlook Web Access with Smart Cards

    Configuring Kerberos constrained delegation with IAG SP2

    Configure Kerberos authentication (Office SharePoint Server)

    A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer

    KCD with Cross-Forest Accounts

    Same kind of idea but for Performance Point in this case.
    Video demo: Configuring Kerberos delegation for Monitoring Server

    How to Configure Certificate Based Authentication for OWA – Part I

  23. You posted
    The guide is finally complete and on Adam’s main page! Hope it helps everyone!

    Comment by Noni Hernandez — April 28, 2009 @ 6:28 am

    Can you provide the url to adam’s main page, please.

  24. Hello.
    I’m in a similar position – setting up CAC access through ISA 2006 sp1 w/KCD to our share point 2007 server farm, using ISA to load balance the Sharepoint servers.

    I’ve had no problem setting up OWA, but share point is now giving me the following errors:

    Web browser is sending a www-authenticate head filed that the web server is not configured to accept:
    HTTP Error 401.2 – Unauthorized,: Access is denied due to server configuration.
    Internet Information Services (IIS).

    The ISA and Sharepoint servers exist in the same domain, the users all exist in AD, the basics all seem correct. Not sure the Sharepoint guys are completely configured for Kerberos yet (It’s on our test network, of course).

    I’ve set up an SPN in the domain service account used for the Sharepoint application pool identity, and enabled delegation from ISA to the service account.

    I’d certainly appreciate an email so that I could perhaps speak with you, or perhaps links to some more docs. It seems to be sparse, using CAC w/ISA & Smartcard authenticatio

    Thanks in advance!.

  25. I cannot access the above sharepoint website with my CAC. I keep receiving a Error Code 500 – Internal Server Error.

    I have clear browsers, cleared SSL, deleted all cookies, picked email and non email certs, tried different computers and I even got a new CAC, reloaded my new certs, and I keep getting the same error code.

    I verified that I have permissions to access the sharepoint drive, but I can’t get there.

    Anyone have any suggestions?

    Thank you,

Leave a Reply

Your email address will not be published. Required fields are marked *