Menu
In IIS, I can "ignore", "allow" and "require" client certificates.
In ASP.NET WebAPI (version 4.0 that just launched a little while back), I seem to have the ability to only "ignore" or "require".
By default, client certificates are ignored... so this statement always yields null:
var cert = actionContext.Request.GetClientCertificate();
But, if I set this flag on my config:
config.ClientCredentialType = HttpClientCredentialType.Certificate;
Then I get the client cert... but, I no longer have the ability to allow anonymous access.
My anonymous client now gets a 403 error: "The remote server returned an error: (403) Forbidden."
Can I do a sort of "allow" like in IIS?
511
This is a known limitation with using X509 Certificate in self host scenario. The actual limitation is from the underlying transport binding in WCF, which does not have the allow option with regards to Client Certificate.
You can, however, allow multiple authentications schemes with other options, such as anonymous and windows. We are working with the WCF team to find out if we can add that support with anonymous and x509 certificate as well.
Hope this clarifies.
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
