Smart Card Integration with Secret Server

Since Secret Server uses IIS to run the web application, we use IIS for smart card authentication. See Authenticate Clients Using Smart Cards for details.

We recommend enabling Integrated Windows Authentication in Secret Server if the users are AD users. In this way, Secret Server will not prompt for credentials if the user is authenticated to AD. IIS will authenticate users based on the smart card certificate, and Secret Server will allow the user through since they are logged in as an AD user.

To accomplish this operation, three steps need to be completed:

Configure Client Certificate Authentication in IIS (Learn more).
Configure Windows Authentication in IIS (Configuring Integrated Windows Authentication.
Configure Windows Authentication in Secret Server.

To Configure Windows Authentication in Secret Server:

Install the Client Certificate Mapping Authentication and the IIS Client Certificate Mapping Authentication role services for IIS.
Reboot.
In the IIS manager, highlight the server and click Authentication.
Enable Active Directory Client Certificate Authentication.
Highlight the virtual folder for Secret Server, and click SSL Settings.
Click to select the Require SSL checkbox.
Select Accept under Client Certificates.
Edit the %windir%\system32\inetsrv\config\applicationhost.config file by adding the code snippet below, under the existing <windowsAuthentication enabled="false" /> line:
Copy
```
<clientCertificateMappingAuthentication enabled="true" />
```
Enable Integrated Windows Authentication in Secret Server.

The next time a user goes to Secret Server, if a smart card is inserted, they will be prompted for smart card credentials, otherwise they are redirected to the login screen.

If you experience a performance issue with the first login, it may be related to the SSLAlwaysNegoClientCert property. See Changing IIS to Not Stop Worker Process in IIS 7.0 and Later for details.