Secure ASP.NET MVC application with SSL and client certificate authentication

Question

I\'m looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I\'m using IIS 7.5, Windows Server 2008 R2.

I\'d like to know whether i

Answer 1

Going in order:

1. Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.

2. Map multiple client certificates to a single user - I dunno. I will pass on this one.

3. Require the user to be authenticated - Yes. In the web.config file, in the element, add the following: