Configuring F5 to reliably request pin when CAC card certificate selected

Question

We have a website behind an F5 which is currently configured through an IRULE to request a CAC card certificate when a secure sub directory is requested. This works fine and when I present my email certificate is successfully reads the cert and we get the user name back in the header from the F5. This is all good so far. The issue is we do not get a pin request and we have a requirement for multi factor authentication using the CAC card.

My question is what are we doing wrong such that we are never asked for the PIN? I have tried all of the certs on my CAC card as well as Chrome, IE and Firefox with no success.

Thanks for any help you can provide!

shaun_simmons · Answer

To understand your configuration: Do you have an APM profile assigned to the VIP that is supporting the application in question?

---------------

-If the users are internal only, on the same domain as the application, you are accessing the site via Kerberos or NTML.

-you can verify via Powershell by typing the following:

> klist

*Press Enter

-Below is an example of what you will see:

#1 will be the SPN / URL of the application or site you are accessing.

-Example site: fimportal.corp.contoso.com

Forum Discussion

Configuring F5 to reliably request pin when CAC card certificate selected

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Certificate Expiry Email alert configuration

Automating ACMEv2 Certificate Management on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Adopting Site Reliability Engineering with F5

Reliable resources for identifying IP addresses

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS