Comments on: SharePoint and SmartCards (CAC Cards) http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/ The Authorative Resource For SharePoint Security Articles, Research, Software, And Security Integration Consulting Thu, 11 Mar 2010 20:38:00 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: adam http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-25214 adam Tue, 02 Feb 2010 17:45:39 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-25214 I would firstly look at the other CAC card / SharePoint articles on this site, particuarlly this one by Noni: http://www.sharepointsecurity.com/sharepoint/cac-enabled-anonymous-sharepoint-sites/ I would firstly look at the other CAC card / SharePoint articles on this site, particuarlly this one by Noni:

http://www.sharepointsecurity.com/sharepoint/cac-enabled-anonymous-sharepoint-sites/

]]> By: Brett http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-25213 Brett Tue, 02 Feb 2010 17:00:49 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-25213 Hello. I'm in a similar position - setting up CAC access through ISA 2006 sp1 w/KCD to our share point 2007 server farm, using ISA to load balance the Sharepoint servers. I've had no problem setting up OWA, but share point is now giving me the following errors: Summary: Web browser is sending a www-authenticate head filed that the web server is not configured to accept: HTTP Error 401.2 - Unauthorized,: Access is denied due to server configuration. Internet Information Services (IIS). The ISA and Sharepoint servers exist in the same domain, the users all exist in AD, the basics all seem correct. Not sure the Sharepoint guys are completely configured for Kerberos yet (It's on our test network, of course). I've set up an SPN in the domain service account used for the Sharepoint application pool identity, and enabled delegation from ISA to the service account. I'd certainly appreciate an email so that I could perhaps speak with you, or perhaps links to some more docs. It seems to be sparse, using CAC w/ISA & Smartcard authenticatio Thanks in advance!. Hello.
I’m in a similar position – setting up CAC access through ISA 2006 sp1 w/KCD to our share point 2007 server farm, using ISA to load balance the Sharepoint servers.

I’ve had no problem setting up OWA, but share point is now giving me the following errors:

Summary:
Web browser is sending a www-authenticate head filed that the web server is not configured to accept:
HTTP Error 401.2 – Unauthorized,: Access is denied due to server configuration.
Internet Information Services (IIS).

The ISA and Sharepoint servers exist in the same domain, the users all exist in AD, the basics all seem correct. Not sure the Sharepoint guys are completely configured for Kerberos yet (It’s on our test network, of course).

I’ve set up an SPN in the domain service account used for the Sharepoint application pool identity, and enabled delegation from ISA to the service account.

I’d certainly appreciate an email so that I could perhaps speak with you, or perhaps links to some more docs. It seems to be sparse, using CAC w/ISA & Smartcard authenticatio

Thanks in advance!.

]]> By: adam http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-25079 adam Fri, 06 Nov 2009 17:52:14 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-25079 http://www.sharepointsecurity.com/sharepoint/cac-enabled-anonymous-sharepoint-sites/ http://www.sharepointsecurity.com/sharepoint/cac-enabled-anonymous-sharepoint-sites/

]]> By: GReddy http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-25078 GReddy Fri, 06 Nov 2009 17:04:26 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-25078 Can you please provide the URL for the guide? Can you please provide the URL for the guide?

]]> By: robin http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-24891 robin Tue, 15 Sep 2009 20:13:41 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-24891 You posted The guide is finally complete and on Adam’s main page! Hope it helps everyone! Comment by Noni Hernandez — April 28, 2009 @ 6:28 am Can you provide the url to adam's main page, please. You posted
The guide is finally complete and on Adam’s main page! Hope it helps everyone!

Comment by Noni Hernandez — April 28, 2009 @ 6:28 am

Can you provide the url to adam’s main page, please.

]]> By: SecurityPresentations http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-24568 SecurityPresentations Thu, 18 Jun 2009 01:15:39 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-24568 I know the original thread is a bit dated. but DoD has for the most part standardized on ISA for CAC, originally specifically for OWA and now for SharePoint/MOSS. The is even a DISA STIG (Security Technical Implementation Guides) for this. See here: http://iase.disa.mil/stigs/draft-stigs/draft_isa_server_2006_addendumv1r0.doc and here http://iase.disa.mil/stigs/draft-stigs/draft_isa_server_2006_addendumv1r0.doc. Curretnly Microsoft's Intelligent Application Gateway (IAG) and it's future version Unified Application Gateway (UAG) are being looked at to address this as wel as other remote access needs. Again a no code solution. DoD custer have access to the Setup/build docs from DISA. There are several more recent papers on the topic of KCD see here: Kerberos Constrained Delegation in ISA Server 2006 http://technet.microsoft.com/en-us/library/bb794858.aspx The CAC for OWA setup/Build documention was developed and written by the authors of this article--- (the same approach has been leverage for use with SharePoint / MOSS and more) Log onto Outlook Web Access with Smart Cards http://technet.microsoft.com/en-us/magazine/2007.07.smartcards.aspx Configuring Kerberos constrained delegation with IAG SP2 http://technet.microsoft.com/en-us/library/dd278107.aspx Configure Kerberos authentication (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263449.aspx A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer http://support.microsoft.com/kb/942637/en-us KCD with Cross-Forest Accounts http://technet.microsoft.com/en-us/library/cc752953.aspx Same kind of idea but for Performance Point in this case. Video demo: Configuring Kerberos delegation for Monitoring Server http://technet.microsoft.com/en-us/library/dd630733.aspx How to Configure Certificate Based Authentication for OWA - Part I http://msexchangeteam.com/archive/2008/10/07/449942.aspx I know the original thread is a bit dated. but DoD has for the most part standardized on ISA for CAC, originally specifically for OWA and now for SharePoint/MOSS. The is even a DISA STIG (Security Technical Implementation Guides) for this. See here: http://iase.disa.mil/stigs/draft-stigs/draft_isa_server_2006_addendumv1r0.doc and here http://iase.disa.mil/stigs/draft-stigs/draft_isa_server_2006_addendumv1r0.doc. Curretnly Microsoft’s Intelligent Application Gateway (IAG) and it’s future version Unified Application Gateway (UAG) are being looked at to address this as wel as other remote access needs. Again a no code solution. DoD custer have access to the Setup/build docs from DISA.

There are several more recent papers on the topic of KCD see here:

Kerberos Constrained Delegation in ISA Server 2006
http://technet.microsoft.com/en-us/library/bb794858.aspx

The CAC for OWA setup/Build documention was developed and written by the authors of this article— (the same approach has been leverage for use with SharePoint / MOSS and more)

Log onto Outlook Web Access with Smart Cards
http://technet.microsoft.com/en-us/magazine/2007.07.smartcards.aspx

Configuring Kerberos constrained delegation with IAG SP2
http://technet.microsoft.com/en-us/library/dd278107.aspx

Configure Kerberos authentication (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263449.aspx

A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer
http://support.microsoft.com/kb/942637/en-us

KCD with Cross-Forest Accounts
http://technet.microsoft.com/en-us/library/cc752953.aspx

Same kind of idea but for Performance Point in this case.
Video demo: Configuring Kerberos delegation for Monitoring Server
http://technet.microsoft.com/en-us/library/dd630733.aspx

How to Configure Certificate Based Authentication for OWA – Part I
http://msexchangeteam.com/archive/2008/10/07/449942.aspx

]]> By: Chris Thomas http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-23844 Chris Thomas Mon, 18 May 2009 13:56:07 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-23844 Has anyone attempted this with an External Certificate Authority for non-DoD users? We are in the process of looking into this and wanted to get some level of the difficulty we are going to have to deal with. Chris Has anyone attempted this with an External Certificate Authority for non-DoD users? We are in the process of looking into this and wanted to get some level of the difficulty we are going to have to deal with.

Chris

]]> By: Dvar http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-23638 Dvar Mon, 11 May 2009 17:10:28 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-23638 I need to implement smart card authentication to AD users and password auth for external users on the same web app... Can anyone give me a piece of advise how to do that? :) I know how to do that with different web apps, but not with one :( I need to implement smart card authentication to AD users and password auth for external users on the same web app… Can anyone give me a piece of advise how to do that? :)
I know how to do that with different web apps, but not with one :(

]]> By: J. Hughes http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-23637 J. Hughes Mon, 11 May 2009 16:29:20 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-23637 I have been using CAC Cards by simply geting the User Name from parsing the server variable CERT_SUBJECT and then comparing that name to names in my web application's database. So far, it works). I haven't had two users with the same name. But when the certificate gets chaged or misnamed, CERT_SUBJECT comes up blank. I have been using CAC Cards by simply geting the User Name from parsing the server variable CERT_SUBJECT and then comparing that name to names in my web application’s database. So far, it works). I haven’t had two users with the same name. But when the certificate gets chaged or misnamed, CERT_SUBJECT comes up blank.

]]> By: Jeremy Weiss http://www.sharepointsecurity.com/sharepoint/sharepoint-security/sharepoint-and-smartcards-cac-cards/comment-page-1/#comment-23555 Jeremy Weiss Thu, 07 May 2009 20:14:05 +0000 http://www.sharepointsecurity.com/blog/sharepoint/sharepoint-2007-security/sharepoint-and-smartcards-cac-cards/#comment-23555 Noni, I saw the article you wrote titled CAC Enabled Anonymous Sharepoint Sites, however is that the follow-up to this article, as it didn't mention the HTTP Module at all. If not can you point me to the article. Noni,

I saw the article you wrote titled CAC Enabled Anonymous Sharepoint Sites, however is that the follow-up to this article, as it didn’t mention the HTTP Module at all. If not can you point me to the article.

]]>