ASP.NET WebApi. How can I "allow" but not "require" client certificates?

Question

ASP.NET WebApi. How can I "allow" but not "require" client certificates?

In IIS, I can “ignore”, “allow” and “require” client certificates.

In ASP.NET WebAPI (version 4.0, which just started a little back), I seem to have the ability to “ignore” or “require”.

By default, client certificates are ignored ... therefore this statement always returns null:

var cert = actionContext.Request.GetClientCertificate();

But if I set this flag in my config:

 config.ClientCredentialType = HttpClientCredentialType.Certificate;

Then I get the client certificate ... but I no longer have the ability to allow anonymous access.

Now my anonymous client receives error 403 : "The remote server returned an error: (403) Forbidden."

Can I make a kind of "allow" as in IIS?

+6

security c # ssl asp.net-web-api client-certificates

Timothy Khouri Sep 06 '12 at 21:09

source share

2 answers

Could the supplied certificate be invalid? In this case, the following may help you: RemoteCertificateValidationCallback

0

Michel van engelen Sep 11 '12 at 11:00

source share

Hongmei Ge · Accepted Answer · 2012-10-05T16:47:56+0000

This is a known limitation using the X509 certificate in a native host script. The actual restriction applies to basic transport binding in WCF, which does not have a permission option for a client certificate.

However, you can allow multiple authentication schemes with other options, such as anonymous and windows. We are working with the WCF team to find out if we can add this support with an anonymous and x509 certificate.

Hope this clarifies.

ASP.NET WebApi. How can I "allow" but not "require" client certificates?

More articles: