3

I have an ASP.Net WebApi REST service deployed in IIS7.5. I'm testing to see how to add a Client Certificate authentication process to this service so that only specific clients will be able to access the service.

Current Situation:

  • I created a root certificate, a server certificate and a client certificate using xca. The server certificate and client certificate are signed using the created root certificate.
  • I used mmc to import the created root certificate to Local Computer\Trusted Root Certification Authorities on both server and client.
  • I used mmc to import the created server certificate to Local Computer\Personal on the server.
  • I used mmc to import the created client certificate to Current User\Personal on the client.
  • In IIS, I created HTTPS binding pointing to the created server certificate. I also configured 'Require SSL' and 'Require Client Certificate' for the service in question.
  • I configured the REST service to include CORS headers in response. This is for supporting request of cross-domain resources.

The Problem:

When I try to access the service on the client using Resttesttest (http://resttesttest.com/) in Internet Explorer, I do not get prompted to select a Client Certificate and the service does not return any data. The error code in IIS log is 500. However, doing the same test in Chrome allows me to select a Client Certificate and the service returns valid data. Testing using fiddler also allows me to access the service properly.

Performed Troubleshooting Steps:

  • I checked Certificates in Internet Explorer - the created root certificate shows under Trusted Root Certification Authorities and the created client certificate shows under Personal.
  • I checked the client certificate's certification path - both the root certificate and the client certificate shows ok.
  • I understand that Internet Explorer by default does not prompt for Client Certificates if there's only one available. I added my server to Trusted Site and then set custom level - Don't prompt for client certificate selection when only one client certificate exists to Disabled. Tested again - still I don't get prompt to select certificate.
  • Used wireshark to capture the traffic during the initial handshake - I can see that server sent 'Certificate Request' to the client. Furthermore, I see the root certificate I created in the list of accepted root certificates. Right after getting the Certificate Request, the client sends ACK then FIN, ACK. The server responds with RST, ACK and the communication ends.
  • Upgrade Internet Explorer 10 to Internet Explorer 11 - no difference.

  • I found a stackoverflow question that's very similar to the problem I have:

    Browser is not prompting for a client certificate

    But in that case it seems that Chrome doesn't work either. For my case Chrome and Fiddler work, only Internet Explorer doesn't. This is what confuses me the most.

I'm quite out of idea of what I might have missed, so any suggestions would be much appreciated.

Many thanks,

David

Community
  • 1
  • 1
David
  • 31
  • 1
  • 3
  • Did you include `Digital Signature` in the Key Usages extension, and `Client Authentication` in the Enhanced Key Usage extension. I think IE uses the latter to determine whether it is valid for showing in the dialog. – jimbobmcgee Dec 15 '15 at 15:01

1 Answers1

0

I think I might the fix for you.

I added this in my webapiconfig.cs

var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };

and in my Web.Config I added

<authentication mode="Windows"/>
<authorization>
  <allow users="?"/>
</authorization>

in my Fetch I just added

{
   method: "GET",
   headers: myHeaders,
   credentials: "include"
};

This works in IE11 and IE10!

Paul
  • 373
  • 1
  • 5
  • 12