Showing results for 
Search instead for 
Did you mean: 

Configuring F5 to reliably request pin when CAC card certificate selected


We have a website behind an F5 which is currently configured through an IRULE to request a CAC card certificate when a secure sub directory is requested. This works fine and when I present my email certificate is successfully reads the cert and we get the user name back in the header from the F5. This is all good so far. The issue is we do not get a pin request and we have a requirement for multi factor authentication using the CAC card.


My question is what are we doing wrong such that we are never asked for the PIN? I have tried all of the certs on my CAC card as well as Chrome, IE and Firefox with no success.


Thanks for any help you can provide!


F5 Employee
F5 Employee

To understand your configuration: Do you have an APM profile assigned to the VIP that is supporting the application in question?


-If the users are internal only, on the same domain as the application, you are accessing the site via Kerberos or NTML.

-you can verify via Powershell by typing the following:

> klist

*Press Enter

-Below is an example of what you will see:

#1 will be the SPN / URL of the application or site you are accessing.0691T000008GDW9QAO.png

-Example site: