Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure ASP.NET MVC application with SSL and client certificate authentication

I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.

I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)

  1. Require SSL communication for all requests
  2. Map multiple client certificates to a single user
  3. Require the user to be authenticated

Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.

like image 266
Stupid Idiot Avatar asked Oct 19 '11 17:10

Stupid Idiot


People also ask

How do you implement certificate based authentication in C#?

Open “Power Shell” as an administrator and run the below command: New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date). AddYears(10) -FriendlyName "CAlocalhost" -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature.

What is SSL MVC?

Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser.

How do I pass a client certificate to Web API?

Using Client Certificates in Web API On the server side, you can get the client certificate by calling GetClientCertificate on the request message. The method returns null if there is no client certificate. Otherwise, it returns an X509Certificate2 instance.


1 Answers

So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.

        <security>
            <access sslFlags="Ssl, SslNegotiateCert" />
            <authentication>
                <anonymousAuthentication enabled="false" />
                <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
                    <manyToOneMappings>
                        <add name="Authentication Certificate"
                             enabled="true"
                             permissionMode="Allow"
                             userName="foo"
                             password="bar">
                            <rules>
                                <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
                            </rules>
                        </add>
                    </manyToOneMappings>
                </iisClientCertificateMappingAuthentication>
            </authentication>
        </security>
like image 130
Stupid Idiot Avatar answered Oct 25 '22 05:10

Stupid Idiot