I want to be able to map SSL client certificates to ASP.NET Identity users. I would like IIS to do as much of the work as possible (negotiating the client certificate and perhaps validating that it is signed by a trusted CA), but I don't want IIS to map the certificate to a Windows user. The client certificate is passed through to ASP.NET, where it is inspected and mapped to an ASP.NET Identity user, which is turned into a ClaimsPrincipal.
So far, the only way I have been able to get IIS to pass the client certificate through to ASP.NET is to enable iisClientCertificateMappingAuthentication and set up a many-to-one mapping to a Windows account (which is then never used for anything else.) Is there any way to get IIS to negotiate and pass the certificate through without this configuration step?
You do not have to use the iisClientCertificateMappingAuthentication. The client certificate is accessible in the HttpContext.
var clientCert = HttpContext.Request.ClientCertificate;
Either you enable RequireClientCertificate on the complete site or use a separate login-with-clientcertificate page.
Below is one way of doing this in ASP.NET MVC. Hopefully you can use parts of it to fit your exact situation.
- First make sure you are allowed to set the SslFlags in web.config by turning on feature delegation.
Make site accept (but not require) Client Certificates
Set path to login-with-clientcertificate-page where client certificates will be required. In this case a User controller with a CertificateSignin action.
Create a login controller (pseudo-code)
[OutputCache(NoStore = true, Duration = 0, VaryByParam = "*")] [AllowAnonymous()] public ActionResult CertificateSignIn() { //Get certificate var clientCert = HttpContext.Request.ClientCertificate; //Validate certificate if (!clientCert.IsPresent || !clientCert.IsValid) { ViewBag.LoginFailedMessage = "The client certificate was not present or did not pass validation"; return View("Index"); } //Call your "custom" ClientCertificate --> User mapping method. string userId; bool myCertificateMappingParsingResult = Helper.MyCertificateMapping(clientCert, out userId); if (!myCertificateMappingParsingResult) { ViewBag.LoginFailedMessage = "Your client certificate did not map correctly"; } else { //Use custom Membersip provider. Password is not needed! if (Membership.ValidateUser(userId, null)) { //Create authentication ticket FormsAuthentication.SetAuthCookie(userId, false); Response.Redirect("~/"); } else { ViewBag.LoginFailedMessage = "Login failed!"; } } return View("Index"); }
来源:https://stackoverflow.com/questions/29040512/can-iis-require-ssl-client-certificates-without-mapping-them-to-a-windows-user