Hopefully I'm asking the question properly.
I have the following use case. I have an application I want to run on https, and have the user pass an x509. However, I want to forward that authentication off to an external LDAP and not have IIS authenticate/check the certificate.
If I go into IIS and set to Accept/Require I get a 403 error. If I don't require then I never get prompted for the certificate.
My start-up class looks like the following
public void Configuration(IAppBuilder app) {
app.UseClientCertificateAuthentication(new DefaultClientCertificateValidator());
}
}
}
I then I have
public class DefaultClientCertificateValidator : IClientCertificateValidator
{
public ClientCertificateValidationResult Validate(X509Certificate2 certificate)
{
Console.WriteLine($"Attempting to validate cert {certificate.SubjectName}");
// For now just return true
ClientCertificateValidationResult res = new ClientCertificateValidationResult(true);
return res;
}
}
If I do not pass in a certificate it goes down the path of throwing an error because it couldn't find a certificate. However, if I try to send in a certificate I get the server error of
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
Is there something in IIS I need to do to basically say "Grab the certificate, forward it along but do NOT authenticate it?"
It looks like the answer is a bit "Weird". For IIS you need to do the following
netsh http show sslcert
This gets you your ssl certificate
Then copy this information off, you'll need it later.
Then do the following
netsh http delete sslcert ipport=YOUR_HOST:YOUR_PORT
then run the following
http add sslcert ipport=YOUR_PORT:YOUR_HOST certhash=[FROM THE FILE EARLIER] appid={[FROM THE FILE EARLIER]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
By flipping that bit to enabled, it allows to validate the X509 downstream