CardSpace only works over HTTPS sessions. So in order for that CardSpace dialog to pop up, I needed to get an SSL cert for www.gazitt.com . Fortunately, that wasn't too hard. My hoster (eNom) has a workflow for obtaining certs from Secure Business Services . They cost $30/year and utilize online validation (really, just an e-mail sent to your account, where you click a link). Not very trustworthy, but I'm not complaining - a cert from GeoTrust costs $175/year and doesn't work any better :-) The hard part was that since eNom doesn't host my site (it's hosted out of my office at home), I needed to install the cert myself. Basically the process looks like the following: 1. Use the IIS6 facilities for requesting a cert, and paste the encrypted cert request into the online form at sbs.com. 2. Get the validated cert from SBS, along with a Trusted Root cert and an Intermediate Cert Authority cert. 3. Install them into the Windows cert store. (SBS has some good directions posted here , and specifically for IIS6 here ). You have to bring up the Cert management mmc plug-in and install multiple certs into different places in the Local Computer cert store. Couldn't have done it without the excellent directions posted on the SBS site. So far, so good. Now comes the fun part. You have to grant permission to the private key file for the cert to the NETWORK SERVICE account (or whatever account you run the site under). Here are some tips I got from Garrett Serack: 1. Use the FindPrivateKey utility that ships with the NetFX 3.0 SDK (under the "Setup WCF Samples" sample) to find the private key file for the Cert, based on its thumbprint. Here's a link to FindPrivateKey that was compiled on an x86 machine against .NET FX 3.0 (may work with 2.0 as well) - just remove the ".txt" extension. Like so: findprivatekey my localmachine -t <substitue 20-byte hex thumbprint here> -a 2. Once you've found the right file, use the cacls utility to set the right ACL on the private key file: calcs "D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<private key file>" /G “NT AUTHORITY\NETWORK SERVICE”:R That's it... now, I can set my blog root to https://www.gazitt.com/blog and CardSpace auth works! Oh yeah, one more thing. If you're a little silly like me, it may take you 30 min to realize that you also want to make sure your home firewall (the Linksys WRT54G in my case) needs to be told to pass HTTPS traffic to your webserver box :-) Overall, I Read More...