Client Authentication via Smart card X509 Certificate in asp.net without login and password

Question

I would like to ask about the authentication of a user to Active Directory with the X509 certificate. I saw a similar question: Client Authentication via X509 Certificates in asp.net however the answer says that it requires the login and password. The scenario that I would like to achieve is this:

1. User clicks on the login button: "Login with smart card";
2. The system reads the card using some reader or build in reader to the laptop (let's say it wait 5 seconds for the user to use the card)
3. The system authenticates the user with AD

The smart card contains both the public and the private key.

Can and if yes, how this could be achieved? I would like to understand also how the website (.net core) should communicate with the AD, where should this be placed?

Answer 1

Have you read the MS guide titled Configure certificate authentication in ASP.NET Core? It seems that, normally, you would configure some basic validations through the CertificateAuthenticationOptions and then implement an OnCertificateValidated event handler, to perform some custom validation, like utilizing the data in your AD and verify if the given person is present in the AD and has any roles, etc.

Some things to bear in mind (from that guide):

Certificate authentication happens at the TLS level, long before it ever gets to ASP.NET Core

and

Remember the certificate exchange is done at the start of the HTTPS conversation, it's done by the server before the first request is received on that connection so it's not possible to scope based on any request fields.