All geek questions in one place

Set binding programmatically to require client certificate approval in iis

How can I achieve the equivalent of setting clientcertnegotiation = allow using netsh from the application using C # (without executing the command line).

netsh http add sslcert ipport=0.0.0.0:8000 certhash=2064a43f429fe97746ce0c1c9adcd4ea93415f6d appid={4dc3e181-e14b-4a21-b022-59fc669b0914} clientcertnegotiation=enable

The following code successfully adds a certificate

 using (var manager = new ServerManager()) { var siteBindings = from s1 in manager.Sites from b1 in s1.Bindings where b1.Protocol.Equals("https") select new {SiteName = s1.Name, Binding = b1}; foreach (var siteBinding in siteBindings) { siteBinding.Binding.CertificateHash = cert.GetCertHash(); } // This is correctly setting the values on the Ssl Cert configuration section in IIS var config = manager.GetApplicationHostConfiguration(); var accessSection = config.GetSection("system.webServer/security/access", "WebActivationService"); accessSection["sslFlags"] = @"Ssl, SslRequireCert"; manager.CommitChanges(); }

but running netsh http show sslcert will show that it disables the client certificate certificate

 IP:port : 0.0.0.0:8000 Certificate Hash : 2064a43f429fe97746ce0c1c9adcd4ea93415f6d Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name : MY Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled

deleting and re-creating a binding has the same effect

+6
source share
3 answers

from Windows Server 2003 +, you can use the following:

 ULONG HttpSetServiceConfiguration( __in HANDLE ServiceHandle, __in HTTP_SERVICE_CONFIG_ID ConfigId, __in PVOID pConfigInformation, __in ULONG ConfigInformationLength, __in LPOVERLAPPED pOverlapped );

http://msdn.microsoft.com/en-us/library/windows/desktop/aa364503(v=vs.85).aspx

+1
source

it seems to me that some important settings are missing ... for a sample code on how to do this with some explanation, see http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication#006

0
source

You want to enable client certificate verification using the example described in https://www.iis.net/ConfigReference/system.applicationHost/sites/site/ftpServer/security/sslClientCertificates .

You need to set clientCertificatePolicy in CertRequire to refuse authentication that is not related to the client. Depending on whether you want to map the certificate to the actual Windows user, you need to set useActiveDirectoryMapping to the appropriate value.

0
source

Source: https://habr.com/ru/post/894716/

More articles:


All Articles