Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure ASP.NET MVC application with SSL and client certificate authentication

Tags:

ssl

asp.net-mvc

I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.

I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)

  1. Require SSL communication for all requests
  2. Map multiple client certificates to a single user
  3. Require the user to be authenticated

Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.

like image 266
Stupid Idiot Avatar asked Oct 19 '11 17:10

Stupid Idiot

People also ask

How do you implement certificate based authentication in C#?

Open “Power Shell” as an administrator and run the below command: New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date). AddYears(10) -FriendlyName "CAlocalhost" -KeyUsageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature.

What is SSL MVC?

Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser.

How do I pass a client certificate to Web API?

Using Client Certificates in Web API On the server side, you can get the client certificate by calling GetClientCertificate on the request message. The method returns null if there is no client certificate. Otherwise, it returns an X509Certificate2 instance.

1 Answers

So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.

        <security>
            <access sslFlags="Ssl, SslNegotiateCert" />
            <authentication>
                <anonymousAuthentication enabled="false" />
                <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
                    <manyToOneMappings>
                        <add name="Authentication Certificate"
                             enabled="true"
                             permissionMode="Allow"
                             userName="foo"
                             password="bar">
                            <rules>
                                <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
                            </rules>
                        </add>
                    </manyToOneMappings>
                </iisClientCertificateMappingAuthentication>
            </authentication>
        </security>
like image 130
Stupid Idiot Avatar answered Oct 25 '22 05:10

Stupid Idiot
Sign in to Comment

Related questions

jQuery UI Dialog + Validate
ASP.NET MVC: generating action link with custom html in it
Does MVC OutputCaching take preference over setting cache response headers?
Reference implementation of ASP.NET MVC using ViewModels, EditModels, and AutoMapper
Hosting ASP.NET MVC 3 Razor Engine Site
How do you communicate between two browser tabs/windows? [duplicate]
OutputCache dilemma with authentication in ASP.NET MVC
IsValid(object value) has not been implemented by this class
Editing an object in entity framework and saving it to the database in ASP.NET MVC 2.0
Setting up Inversion of Control (IoC) in ASP.NET MVC with Castle Windsor
ASP.net MVC - Sharing partials between areas
reverse proxy in mvc
ASP.NET MVC3 - Custom validation attribute -> Client-side broken
How to make the browser back button take you back through AJAX calls?
Nhibernate 2nd level caching issues / questions when moving from a single web server to a multiple web server load balanced environment
ASP.NET MVC Route matching for child actions
Business web-app in .NET - which technology to pick?
Add more routing to asp.net MVC Global.asax
Preload ASP.NET MVC views in IIS warmup step
MVC3 AntiForgeryToken breaks on Ajax login

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!