Is there any way to use Client Certificates with ASP.NET 5?

Question

We are developing an ASP.NET 5 project and one of the requirements is that user authentication is done through client certificates via browser, but I can't make this work.

Using web.config and IIS the certificate is requested properly with this configuration:

<system.webServer>
  <security>
    <access sslFlags="Ssl, SslNegotiateCert" />
    <authentication>
      <iisClientCertificateMappingAuthentication enabled="true" />
    </authentication>
  </security>
</system.webServer>

But the client certificate does not arrive to the web application, as I understand it should be in context.Connection.ClientCertificate property, where context is the current HttpContext.

I suspect that httpPlatformHandler that tunnels IIS to Kestrel is ignoring https and this may be implemented in the future.

I have made some tests with an OWIN site (not DNX) and a custom AuthenticationHandler that gets the X509 client certificate and works properly under IIS.

Answer 1

It looks like there has been some work done on this and a pull request and merge was done implementing this. So... hopefully we'll see it in a updated release of Kestrel.

See here: https://github.com/aspnet/KestrelHttpServer/pull/385

Answer 2

As I can read in the Change to IIS hosting model announcement:

• The HttpPlatformHandler currently does not forward client certs (this will be a future enhancement)

So, it seems that is not possible right now and httpPlaformHandler must be fixed.