Request Client Certificate

Question

I've seen a lot of unsolved questions about this. Apparently many developers have gotten past this issue, but I haven't seen any solutions posted.

I'm trying to read a smart card (X.509 CAC) for my ASP.NET MVC 5 web app. When I try to pull the certificate information like this:

var request = HttpContext.Request;
var cert = request.ClientCertificate;

The cert has empty values.

The problem appears to be I am not presenting the dialog to request user certificate info like I see on other websites. How do I expose this dialog?

I am running it with SSL enabled. My applicationhost.config has this in it:

    <authentication>
        <anonymousAuthentication enabled="false"/>
        <basicAuthentication enabled="false" />
        <clientCertificateMappingAuthentication enabled="false" />
        <digestAuthentication enabled="false" />
        <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
        <manyToOneMappings>
            <add name="Authentication Certificate"
                 enabled="true"
                 permissionMode="Allow"
                 userName="foo"
                 password="bar">
                <rules>
                    <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*localhost*" compareCaseSensitive="false" />
                </rules>
            </add>
        </manyToOneMappings>
        </iisClientCertificateMappingAuthentication>
        <windowsAuthentication enabled="false">
            <providers>
                <add value="Negotiate" />
                <add value="NTLM" />
            </providers>
        </windowsAuthentication>
    </authentication>

Here is my access node:

<access sslFlags="SslRequireCert" />

Note: that username/password = foo/bar looks suspicious. Why would this be populated on the user side at all? Is there a required service account to be associated with this?

I have also attempted simpler configurations:

    <authentication>
        <anonymousAuthentication enabled="false" userName="" />
        <basicAuthentication enabled="false" />
        <clientCertificateMappingAuthentication enabled="true" />
        <digestAuthentication enabled="false" />
        <iisClientCertificateMappingAuthentication enabled="false">
        </iisClientCertificateMappingAuthentication>
        <windowsAuthentication enabled="false">
            <providers>
                <add value="Negotiate" />
                <add value="NTLM" />
            </providers>
        </windowsAuthentication>
    </authentication>

What happens is the page is presented normally, but I am not solicited for my client certificate.

I clearly have the client certs, so I'm not sure why other websites are able to request them.

I am using IIS Express 10.

Answer 1

The problem was Visual Studio 2015 puts its IIS Express applicationhost.config file in one of the child directories of the solution. It's in the .vs/config directory.

My suggestion to anyone else running into this problem is to:

(1) First make sure the configuration is about what you think would work (SslRequireCert or negotiate). That part is not likely to hold you up if you know what it should be in the applicationhost.config file.

(2) Second have the Certificates set up correctly. I don't think this was a problem in my case, but it could prevent you from reading this property. You should be able to open mmc (type mmc after hitting the Windows button), going to Certificates (or adding the snap in if you don't have it), and making sure Personal/Certificates and Intermediate Certificates/Certificates or Trusted Root Certificates/Certificates have the certificates you need.

And, as I said:

(3) Make sure you have the right applicationhost.config.