I'm hoping I'm just missing a step, and that someone can point me in the right direction. Users have a CAC, which authenticates through IIS with their PIN. Once that has been entered, I need to authenticate the user in the website, without their having to enter a username or password. I CANNOT USE ACTIVE DIRECTORY AUTHENTICATION. I am assuming Forms authentication at this time.
Assuming that the user logging in has registered, and that their information, along with allowable roles, is in the database (which I can look up based on the information in the client certificate on the CAC)... what process do I need to implement/read up on to authenticate said user in the website?
Thank you in advance for advice/information.
BrianW
Start by looking into extracting data from the certificate itself. If you extract from the Email certificate, you can pull the UserPrincipalName, which will be almost entirely immutable for your potential userbase and can key users even if their name changes. If you want to use the 'normal' identity certificate, you'll need to extract the 10-digit number (EDIPI) from the CN attribute, which will then be immutable. You could just use the CN to get started, but beware that it is not immutable and that name changes will cause it to be modified on subsequent cards whereas the EDIPI will remain constant [again, for 99.9+% of the use cases; only when someone is errantly issued a second card / identity does this fail, and that's quite rare].