Smart Card Integration with Secret Server
Since Secret Server uses IIS to run the web application, we use the IIS function for smart card authentication: https://technet.microsoft.com/en-us/library/cc732116.aspx
We recommend enabling Integrated Windows Authentication in Secret Server (Under Administration > Active Directory) if the users are AD users. That way Secret Server will not prompt for credentials if the user is authenticated to AD. IIS will authenticate the users based on the smart card certificate, and Secret Server will pass the user through since they are logged in as an AD user.
To do this, there are two parts:
Configure Client Certificate Authentication in IIS (Learn more)
Configure Windows Authentication in IIS and Secret Server - Configuring Integrated Windows Authentication
- Install the Client Certificate Mapping Authentication and IIS Client Certificate Mapping Authentication role services for IIS.
- Reboot.
- In IIS manager, highlight the server and click Authentication. Enable Active Directory Client Certificate Authentication.
- In IIS manager, highlight the virtual folder for SecretServer and click SSL Settings. Check Require SSL and select Accept under Client Certificates.
-
Edit the file:
Copy%windir%\system32\inetsrv\config\applicationhost.configand add
Copy<clientCertificateMappingAuthentication enabled="true" />” under the” <windowsAuthentication enabled="false" /> - Enable Integrated Windows Authentication in SecretServer. When the user goes to the website they get prompted for smart card credentials if there is one inserted. Otherwise it takes them to the login screen.
If you experience a performance issue with the first login, it may be related to the SSLAlwaysNegoClientCert property. More on this can be read here: Changing IIS to Not Stop Worker Process in IIS 7.0 and Later
That could affect performance, which makes sense when doing the initial load of the home screen (which is probably one of the bigger screens in Secret Server in terms of size).
