Secure ASP.NET MVC application with SSL and client certificate authentication
I\'m looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I\'m using IIS 7.5, Windows Server 2008 R2.
I\'d like to know whether i
-
So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.
<security> <access sslFlags="Ssl, SslNegotiateCert" /> <authentication> <anonymousAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true"> <manyToOneMappings> <add name="Authentication Certificate" enabled="true" permissionMode="Allow" userName="foo" password="bar"> <rules> <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" /> </rules> </add> </manyToOneMappings> </iisClientCertificateMappingAuthentication> </authentication> </security>讨论(0) -
Going in order:
Require SSL communication for all requests - Yes. In IIS, set the site with only an
httpsbinding, and delete thehttpbinding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors fromhttp://mysite.comtohttps://mysite.com. You can find many examples of how to do this using various tools.Map multiple client certificates to a single user - I dunno. I will pass on this one.
Require the user to be authenticated - Yes. In the web.config file, in the
<system.web>element, add the following:<authorization> <deny users="?"/> </authorization>
讨论(0)
加载中...
- 热议问题