I run a webserver that authenticates users with a username and password. I want to enable PKI authentication on my webserver while still allowing users to login with a username/password combination (the latter will have limited access to website). I will be using a third-party PKI. My users are already in possession of certificates that have been issued by the external CA. Finally, my website implements SSL.
What I want:
An anonymous user arrives at the login page and selects his login method (either a certificate or username/password combination). Upon selecting the option for certificate login, the user will be redirected to a page that requires a valid client certificate. The user presents a valid certificate, is authenticated, and authorized to view the website.
Alternatively, the user selects the option for username/password login. The user is authenticated and is authorized with limited roles.
Here is my problem:
Users exist in Active Directory and are authenticated with a username/password. I need to retain username/password authentication while also allowing a user to authenticate with a certificate mapped to his account. In addition, an existing user will need to assign a certificate to his account. In other words, self service certificate mapping (potentially through an LDAP request)
Where I am in development:
I can request a user's client certificate, validate it through IIS, and then grab on to the certs variables (issuer, subject, serial number, etc...). Normally, a user presents a username/password, I query AD with an LDAP request, authenticate the user, then authorize roles based on the user's permissions contained in the SQL database. Can I configure AD to authenticate a user with cert variables instead of a username/password combination?