securityauthenticationsmartcarddigital-certificatecac

Bypass choose a digital certificate and present user with pin prompt


I am working with a c#.net application right now where I have smartcard authentication working properly, by allowing users to pick their digital certificate and enter their pin. However I want to do away with allowing the user to pick their certificate and have one of their certificates picked for them automatically(every user has the same certificates). This would make it so that when a user tries to enter the site, they are simply presented with a pin prompt. Any ideas on how to go about doing this? All the users I work with use Internet Explorer 7 and have workstations with ActivIdentity and Tumbleweed.


Solution

  • Write a Java applet to do the job at client side using PKCS#11 wrapper or, if you can restrict your users to use IE, create and use an ActiveX. I have already done both. For ActiveX you have to have it digitally signed to declare it as a safe ActiveX.

    It is not straight forward task but I found Java applet easier to implement. The downside is that JRE (Java Runtime Environment) should already be installed at client side and plays nice with the browser. User also has to grant permission to the applet to connect to his smart card at first run.