如何使用“交互式登录需要智能卡”来验证用户身份 放?
http://support.microsoft.com/kb/892424
当“需要智能卡在 Active Directory 上设置“用于交互式登录”时,它会生成随机密码。 如何利用智能卡通过 LDAP 从 Web 应用程序对用户进行身份验证?
我如何知道用户是谁? 有没有办法访问证书? 我可以从会话中获取它吗?
http://support.microsoft.com/kb/892424
When the "Smart card is required for interactive logon" is set on Active Directory, it generates a random password. How do I utilize a smart card to authenticate a user over LDAP from a web application?
How do I know who the user is? Is there a way to access the cert? Can I get it from the session?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为此应使用 HTTPS 和 SSL 相互身份验证,因为客户端在其智能卡上已存储至少企业 CA 签名的证书。
当使用相互 SSL 身份验证而不只是服务器身份验证时,服务器也会验证客户端证书,而不仅仅是客户端验证服务器的证书(对于启用 HTTPS 的电子商务网站来说,这是更常见的设置)。 而且您仍然可以获得加密连接作为奖励。
请参阅 Tomcat 6.0 SSL 配置方法。 关键点是将 trust-store 中的 CA 证书和 clientAuth 属性设置为 true。
还应在相应 Web 应用程序的 web.xml 中将登录身份验证方法指定为 CLIENT-CERT:
客户端证书中的SubjectDN 属性用于识别用户。 LDAP(或ActiveDirectory)仍可用于授权 - 例如,通过检查用户是否属于某个组。
第一次完成所有设置可能很困难。 为了熟悉所有概念,我建议采用以下方法:
HTTPS and SSL mutual authentication should be used for this, because client already has at least corporate CA-signed certificate on its smart card stored.
When mutual SSL authentication is used instead just server authentication, the client certificate is also verified by server, not only the server's certificate by client (which is more common set-up for e.g. HTTPS enabled e-commerce sites). And you still get encrypted connection as a bonus.
See e.g. Tomcat 6.0 SSL Configuration HOW-TO. The key point is to have the CA certificate in the trust-store and clientAuth attribute set to true.
The login auth-method should be also specified to CLIENT-CERT in web.xml of the respective web-application:
SubjectDN attribute from the client certificate is used to identify the user. LDAP (or ActiveDirectory) can be still used for authorization - e.g. by checking if user belongs to a group.
It can be difficult to set it all on the first time. To get familiar with all the concepts I recommend following approach: