Forum Discussion

bmckinstry's avatar
Icon for Nimbostratus rankNimbostratus
Feb 05, 2020

Configuring F5 to reliably request pin when CAC card certificate selected

We have a website behind an F5 which is currently configured through an IRULE to request a CAC card certificate when a secure sub directory is requested. This works fine and when I present my email certificate is successfully reads the cert and we get the user name back in the header from the F5. This is all good so far. The issue is we do not get a pin request and we have a requirement for multi factor authentication using the CAC card.


My question is what are we doing wrong such that we are never asked for the PIN? I have tried all of the certs on my CAC card as well as Chrome, IE and Firefox with no success.


Thanks for any help you can provide!

1 Reply

  • To understand your configuration: Do you have an APM profile assigned to the VIP that is supporting the application in question?


    -If the users are internal only, on the same domain as the application, you are accessing the site via Kerberos or NTML.

    -you can verify via Powershell by typing the following:

    > klist

    *Press Enter

    -Below is an example of what you will see:

    #1 will be the SPN / URL of the application or site you are accessing.

    -Example site: