Adaxes

Smartcard Authentication only

0 votes

Hello,

we have an internal PKI-setup and are using SmartCards for many administrative tasks. Our IT-security department has asked us to implement Smartcard-Authentication on one of our Adaxes-Portals. This portal should not support password-based logins.

To accomplish this we

- configured "Client Certificate Mapping Authentication" in IIS
- set "Active Directory Client Certificate Authentication" to enabled in IIS
- set the SSL-settings on the web site to "Require SSL" and "Require Client Certificate" in IIS

ASP.NET Impersonation authentication is the only authentication method that is enabled under "Authentication"

Connecting to the portal with smartcard works fine in general. When we connect, we are presented a smartcard prompt and once we choose the correct certificate we are logged on automatically (SSO).

Unfortunately we are seeing the following issue: If we chose to logoff from Adaxes using the logoff option on the top right-hand side in the browser we are taken back to a username / password dialog box. When we type in a valid username and password we are authenticated again - but we don't want that. We need to be able to enforce SmartCard authentication only. User should not be allowed to type in their usernames and passwords.

Could you please advise what we could do?

Thank you very much!
HarryNew

by (270 points)
0

Hello Harry,

Could you specify, what version of Adaxes you are currently using? To check that:

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service.
  3. In the context menu, click Properties.
  4. Adaxes version will be displayed on the General tab.
by (289k points)
moved by
0

Hello,

thank you for your answer. Our version is

3.8.14823.0

Regards
HarryNew

by (270 points)
moved by

1 Answer

0 votes
by (289k points)
selected by
Best answer

Hello Harry,

Thank you for specifying.

Unfortunately, there is no possibility to avoid displaying the sign in page after users sign out from a Web Interface. If you want to disallow users to sign in using their usernames and passwords, you need to enable the Smart card is required for interactive logon Account Option for the users.

For details on updating property values of AD objects, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.Man ... rties.html.

Related questions

0 votes
1 answer
How do you enable smartcard authentication?

Our management team is requiring that our accounts be protected with a smart card. We are using Yubikey smartcards and need to enable the ability to authenticate with the web ... web interface with our smart cards. Can this be done? Is there a guide?

asked Oct 21, 2020 by mark.it.admin (2.3k points)
+1 vote
1 answer
How to have 2 Factor authentication ON or restrict the access to Web Configurator from internal network only ?

We know only service administrators by default are allowed to access the web configurator, however is there any way to restrict that the the web configurator is only available on ... ON 2FA on Web configurator website, like we can on other web interfaces ?

asked Feb 13, 2021 by rsaran (70 points)
0 votes
1 answer
Login Screen with Self-service Enabled plus SmartCard Reader

Hi, I'm wondering if there is a way round the following "issue" we have. We are running 2018.2 (3.10.16008.0 x64) with Self-Service Client 1.3.7797.0. A ... given a choice of sign-in options, just go straight to Username & Password? Many thanks, Simon

asked Jan 17, 2019 by simontorroni (70 points)
0 votes
1 answer
Smartcard; additional PIN Dialog

Hello Support-Team, we are using Smartcards for Windows logon. Some users get an additional PIN Dialog after they launch the Adaxes Administration Console. This also happens every time they unlock a Session. Is this a known issue? Is there a fix?

asked May 2, 2018 by mweller (100 points)
0 votes
0 answers
Does Adaxes require basic authentication in WinRM to be enabled?

Starting from Adaxes 2023.2, Adaxes uses the EXOv3 PowerShell module for all operations in Exchange Online. This means basic authentication in WinRM can be disabled on ... s OAuth token because the client-side implementation of WinRM does not support OAuth.

asked Mar 1, 2023 by Adaxes (560 points)
3,552 questions
3,242 answers
8,243 comments
547,831 users