CAC for accessing Windows applications

JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+Surf City, USAAdmin Posts: 11,948 Admin
Is anyone administrating (or writing applications for) a Windows network that uses Common Access Cards (CAC) to control access to software and services installed on your Windows servers? I need to know how CAC fit into the AD authentication schemes, and how/if software needs to be changed to support CAC authentication. Can any software application be used with CAC, or must the software contain special support for AD authentication?

Comments

  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    How is that different than a smartcard? They refer to at as a smartcard throughout the article and say it's used in a smartcard reader. Am I missing something?

    Is it just "Common Access" because it's also an ID?
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,948 Admin
    I'm specifically interested in the CACs used by the DoD. I believe they contain a digital certificate that is read by a proximity reader when access to a computer or network resource is needed by a user.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    That sounds like a typical smart card.

    You just check a box in the user's account properties to require smart card logon, and the user will have to insert the card and enter his or her pin number in order to authenticate. There shouldn't be any difference in functionality between that and a password once the user is authenticated.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,948 Admin
    Apparently, CACs are also used to control access to specific, administrator-level software applications too. I need to understand how that works. I'm thinking it's all Kerberos under the hood, but I'm not clear if it's only AD controlling access or do the software applicators themselves play a part in the authentication process.
  • btowntechbtowntech Member Posts: 198
    The only thing I use my CAC card for is logging into the computer. The applications that I'm suppose to have access to are associated with my profile. I do know that if I log in with just my username and password that it doesn't give me access to certain things until I insert my CAC card and enter my pin number. Hope that helps a bit!
    BS - Information Technology; AAS - Electro-Mechanical Engineering
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Let me get you some info when I get back to work next week. I'm in Sidewinder Training at the moment.
    All things are possible, only believe.
  • Vassago68Vassago68 Member Posts: 49 ■■□□□□□□□□
    JD,

    CAC or SmartCards are the same thing, just called different things from the Private Sector to the Military.

    Normally, you need Tumbleweed Desktop Validator in order to facilitate the Group Policy's with the CAC. As far as in AD, all you have to do is input their EDI # the appropriate field under the account tab (normally this will have their non-cac login in the field), as well as change the drop down to @mil rather then the local domain.

    At least this is how it is done here where I work, and most places I have seen in the Army.

    As far as access to specific software, we just make sure that whatever profile they are logging into has that access, as the CAC will just give them access to login to that specific account.
  • Tyrant1919Tyrant1919 Senior Member Member Posts: 519 ■■■□□□□□□□
    It was just as easy with me in the AF Vassago.

    I remember our System Admins having two CACs, and two card readers.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
Sign In or Register to comment.