Smart card authentication using a client certificate

Question

I have a third party web application and now my manager wants to add smart card authentication to some of the pages (not the whole application) and return certificate inform

Answer 1

if your app is hosted in IIS then simply add (in web.config) a section that says client certificate is required for those pages. THe browser will then ask the user for a cert.

Answer 2

Windows has a caching feature which, by default, allows applications to access the private key for a limited time after the initial PIN prompt, or until the application is closed completely.

To disable, set this registry key. (Or use a GPO)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]
"PrivKeyCacheMaxItems"=dword:00000000
"PrivKeyCachePurgeIntervalSeconds"=dword:00000000