CAC for accessing Windows applications

Is anyone administrating (or writing applications for) a Windows network that uses Common Access Cards (CAC) to control access to software and services installed on your Windows servers? I need to know how CAC fit into the AD authentication schemes, and how/if software needs to be changed to support CAC authentication. Can any software application be used with CAC, or must the software contain special support for AD authentication?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dynamik

How is that different than a smartcard? They refer to at as a smartcard throughout the article and say it's used in a smartcard reader. Am I missing something?

Is it just "Common Access" because it's also an ID?

JDMurray

I'm specifically interested in the CACs used by the DoD. I believe they contain a digital certificate that is read by a proximity reader when access to a computer or network resource is needed by a user.

dynamik

That sounds like a typical smart card.

You just check a box in the user's account properties to require smart card logon, and the user will have to insert the card and enter his or her pin number in order to authenticate. There shouldn't be any difference in functionality between that and a password once the user is authenticated.

JDMurray

Apparently, CACs are also used to control access to specific, administrator-level software applications too. I need to understand how that works. I'm thinking it's all Kerberos under the hood, but I'm not clear if it's only AD controlling access or do the software applicators themselves play a part in the authentication process.

btowntech

The only thing I use my CAC card for is logging into the computer. The applications that I'm suppose to have access to are associated with my profile. I do know that if I log in with just my username and password that it doesn't give me access to certain things until I insert my CAC card and enter my pin number. Hope that helps a bit!

sprkymrk

Let me get you some info when I get back to work next week. I'm in Sidewinder Training at the moment.

Vassago68

JD,

CAC or SmartCards are the same thing, just called different things from the Private Sector to the Military.

Normally, you need Tumbleweed Desktop Validator in order to facilitate the Group Policy's with the CAC. As far as in AD, all you have to do is input their EDI # the appropriate field under the account tab (normally this will have their non-cac login in the field), as well as change the drop down to @mil rather then the local domain.

At least this is how it is done here where I work, and most places I have seen in the Army.

As far as access to specific software, we just make sure that whatever profile they are logging into has that access, as the CAC will just give them access to login to that specific account.

Tyrant1919

It was just as easy with me in the AF Vassago.

I remember our System Admins having two CACs, and two card readers.