I have to do a proof of concept, and so far I find mostly old articles that link to IIS6, which doesn't help.
In short, I have the following requirements.
I need to protect one file / page and this file / page only with a client certificate. The rest of the site should continue to work under SSL, but does not require a client certificate, only this one file. User mapping is prohibited, since the mapping will be done programmatically using C # / VB.NET.
Now I know that it should not be difficult. I mean, I should have access to the Request.ClientCertificate property, but my problem is that during testing I canβt get a client certificate to move through the wire.
I installed IIS in one folder (just to make my life simple) requires SSL and accept client certificates, as well as require client certificates, but all I get from iis after visiting the page is HTTP/1.1 403 Forbidden . I never asked to choose a client certificate for sending to the server, which it simply spews out throughout my request and takes it away.
It gets even weirder when I use some kind of code to verify this. In this client code, the CertPolicy class simply returns true from the method to ignore certificate errors, and test.cer is a self-signed certificate made using MakeCert. Just to make it clear, though, only the client certificate, if it is signed by itself, the main certificate is correctly signed, but I play with a lot of violinist, and I do not trust this certificate, so I have a hacker callback.
Dim Cert As X509Certificate = X509Certificate.CreateFromCertFile("Cert\test.cer") ' Handle any certificate errors on the certificate from the server. ServicePointManager.CertificatePolicy = New CertPolicy() ' You must change the URL to point to your Web server. Dim Request As HttpWebRequest = DirectCast(WebRequest.Create("https://local.domain.com/Cert/Server/"), HttpWebRequest) Request.ClientCertificates.Add(Cert) Request.UserAgent = "Client Cert Sample" Request.Method = "GET" Dim sr As StreamReader Using Response As HttpWebResponse = DirectCast(Request.GetResponse, HttpWebResponse) ' Print the repsonse headers. output.AppendFormat("{0}\r\n", Response.Headers) output.AppendLine() ' Get the certificate data. sr = New StreamReader(Response.GetResponseStream, Encoding.Default) Dim count As Integer Dim ReadBuf() As Char = New Char((1024) - 1) {} Do count = sr.Read(ReadBuf, 0, 1024) If Not 0 = count Then output.AppendLine(New String(ReadBuf)) End If Loop While (count > 0) End Using
The landing page returns the number of connected certificates, which is always returned if I install IIS to accept or ignore client certificates, but not required.
Protected Overrides Sub OnLoad(ByVal e As System.EventArgs) MyBase.OnLoad(e) Dim cs As HttpClientCertificate = Request.ClientCertificate Response.Write(cs.Count) Response.End() End Sub
If anyone can help me learn how to configure IIS7.5 so that client certificates can be tied to the request and just go through it would be great.