Secure ASP.NET MVC application with SSL and client certificate authentication

Question

I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.

I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)

Require SSL communication for all requests
Map multiple client certificates to a single user
Require the user to be authenticated

Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.

IIS 6.1 and Windows Server 2008 R2? How comes? – Darin Dimitrov Oct 19 '11 at 17:19 — Darin Dimitrov, Oct 19 '11 at 17:19
Sorry! That was very silly of me! I meant 7.5! Will update – Stupid Idiot Oct 19 '11 at 17:21 — Stupid Idiot, Oct 19 '11 at 17:21

Stupid Idiot · Accepted Answer · 2011-11-01T09:39:29.610

So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.

        <security>
            <access sslFlags="Ssl, SslNegotiateCert" />
            <authentication>
                <anonymousAuthentication enabled="false" />
                <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
                    <manyToOneMappings>
                        <add name="Authentication Certificate"
                             enabled="true"
                             permissionMode="Allow"
                             userName="foo"
                             password="bar">
                            <rules>
                                <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
                            </rules>
                        </add>
                    </manyToOneMappings>
                </iisClientCertificateMappingAuthentication>
            </authentication>
        </security>

score 2 · Answer 2 · answered Oct 19 '11 at 19:12

2

Going in order:

Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.
Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:
```
 <authorization>
     <deny users="?"/>
 </authorization>
```

answered Oct 19 '11 at 19:12

counsellorben

10,924
3
40
38

Thanks - this was useful. Just ended up doing it in a different way. – Stupid Idiot Oct 27 '11 at 17:15
2) http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication – quetzalcoatl Jul 12 '12 at 09:15

Secure ASP.NET MVC application with SSL and client certificate authentication

2 Answers2

Linked