[英]Cannot authenticate a call to ASP.NET MVC3 service with a self-signed client certificate
I have an ASP.NET MVC3 service running in IIS 7.5 with .NET Framework 4.5 where I want to secure access to one of the subpaths with a client certificate. 我有一个在.NET Framework 4.5的IIS 7.5中运行的ASP.NET MVC3服务,在该服务中,我想使用客户端证书保护对子路径之一的访问。 For that subpath I crafted a controller with is labeled with a specially crafted attribute which would access the request client certificate 对于该子路径,我设计了一个带有特制属性的控制器,该属性将访问请求客户端证书
public class CheckCertAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(
ActionExecutingContext filterContext)
{
filterContext.HttpContext.Response.Headers.Add(
"CheckCertAttribute", "entered");
var cert = filterContext.HttpContext.Request.ClientCertificate;
// check the cert here, optionally return HTTP 403
}
}
Initially OnActionExecuting()
is being invoked but Certificate
is null. 最初, OnActionExecuting()
被调用,但是Certificate
为null。 Turns out I need to enable SslNegotiateCert
in web.config: 原来我需要在web.config中启用SslNegotiateCert
:
<location path="PathOfInterest">
<system.webServer>
<security>
<access sslFlags="SslNegotiateCert"/>
</security>
</system.webServer>
</location>
Once I do this the client always receives HTTP 403 and the attribute is no longer invoked. 一旦执行此操作,客户端将始终接收HTTP 403,并且不再调用该属性。
The client certificate is self-signed and exported as .pfx (with a private key) so I guess the problem is that once it arrives on the server side the server doesn't like it and refuses to accept it and pass through. 客户端证书是自签名的,并导出为.pfx(带有私钥),因此我想问题是,一旦它到达服务器端,服务器就不喜欢它并拒绝接受并通过。 The client side uses HttpWebRequest
: 客户端使用HttpWebRequest
:
var cert = new X509Certificate2(pathToPfx, password);
var request = (HttpWebRequest)WebRequest.Create("https://my.company.com/PathOfInterest");
request.ClientCertificates.Add(cert);
request.GetResponse();
I've already used this approach earlier and it worked. 我之前已经使用过这种方法,并且有效。 The first case was when the client certificate was not self-signed but was signed by an intermediate certificate which in turn was signed by some trusted root authority - in this case my service configured very similarly would receive it just fine. 第一种情况是客户端证书不是自签名的,而是由中间证书签名的,而中间证书又由某些受信任的根颁发机构签名-在这种情况下,我的服务配置非常相似,就可以收到它。 The second case was using a self-signed client certificate to make Azure Management Service calls but in this case I have no idea how the server side is configured. 第二种情况是使用自签名客户端证书进行Azure管理服务调用,但是在这种情况下,我不知道如何配置服务器端。
I therefore came to conclusion that it's a self-signed nature of the certificate which makes it "not working". 因此,我得出的结论是,它是证书的自签名性质,因此使其“无法正常工作”。 I have so do something extra - perhaps add something into web.config or add the certificate into some certificate store on the server side. 我需要做一些额外的事情-也许将一些内容添加到web.config或将证书添加到服务器端的某些证书存储中。 I just have no idea what this should be. 我只是不知道这应该是什么。
How do I make this setup work? 如何使该设置起作用?
IIS tries to "negotiate" a mutually trusted connection with the client and because the client certificate is self-signed it refuses to trust it. IIS尝试与客户端“协商”相互信任的连接,并且由于客户端证书是自签名的,因此它拒绝信任它。
Your options: 您的选择:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.