1

The scenario is as follows: Users connect to a webserver using certificate authentication, the server is making calls to other services and I would like to forward/send the certificate that I received on the server to the authenticate the user by services.

I am using the following code on the webserver to set the client certificate on HttpClientHandler and I can see in debug mode that the client certificate is valid in the HttpContext below.

X509Certificate2 cert = new X509Certificate2(HttpContext.Request.ClientCertificate.Certificate);

var httpClientHandler = new WebRequestHandler();
httpClientHandler.UseDefaultCredentials = true;
httpClientHandler.PreAuthenticate = true;
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
httpClientHandler.ClientCertificates.Add(cert);

When I receive the request in service code, the certificate has been stripped off (or it could be that the above code never sent it). Any ideas whats going on and what should be different in the code above?

FYI both the web-server and the services are running on the same machine. To be more precise the services run as applications within the same website on IIS

WPFAbsoluteNewBie
  • 1,285
  • 2
  • 10
  • 21
  • My bad. This was never going to work. The server in the middle can't use the certificate to establish a secure connection with a second server – WPFAbsoluteNewBie Apr 07 '14 at 18:45
  • Your question title says HttpClientHandler, but your code demonstrates a WebRequestHandler, it causes confusion and thereby should be edited, so people searching for HttpClientHandlers wont end up here. – Christopher Bonitz Jun 07 '16 at 10:34

1 Answers1

1

In your scenario, your site's clients will not be your services' clients; rather your site will be your services' client. As you say, "the [web] server [(i.e. site)] is making calls to other services".

The service requests that your site makes are going to have their own contexts distinct from requests sent to your site that trigger them.

I doubt that you want to reuse the client certificates from requests to your site in your site's corresponding service requests; it sounds like you only intend your site to call your services. If you do, however, you can set up your services for client-certificate authentication (e.g. a related SO question speaks to doing this with a WCF service), get the client certificate from each request to your site, then use it in each related request that your site sends to your services.

Community
  • 1
  • 1
J0e3gan
  • 8,740
  • 10
  • 53
  • 80