Is there any way to use Client Certificates with ASP.NET 5? - ssl

We are developing an ASP.NET 5 project and one of the requirements is that user authentication is done through client certificates via browser, but I can't make this work.
Using web.config and IIS the certificate is requested properly with this configuration:
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<iisClientCertificateMappingAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
But the client certificate does not arrive to the web application, as I understand it should be in context.Connection.ClientCertificate property, where context is the current HttpContext.
I suspect that httpPlatformHandler that tunnels IIS to Kestrel is ignoring https and this may be implemented in the future.
I have made some tests with an OWIN site (not DNX) and a custom AuthenticationHandler that gets the X509 client certificate and works properly under IIS.

It looks like there has been some work done on this and a pull request and merge was done implementing this. So... hopefully we'll see it in a updated release of Kestrel.
See here: https://github.com/aspnet/KestrelHttpServer/pull/385

As I can read in the Change to IIS hosting model announcement:
The HttpPlatformHandler currently does not forward client certs (this will be a future enhancement)
So, it seems that is not possible right now and httpPlaformHandler must be fixed.

Related

401 error in Windows server 2012 after disabling crypto

We had the following issue in our Production Environemt:
When we disabled some weak crypto in our IIS Server 8.5 (Using IISCrypto) the server, after we try to login on the webpage, shows a 401 error
The crypto and ciphers that we were trying to configure was this
Crypto Enabled
Ciphers Enabled
The error after we applied changes and restarted the server was this
401 error
However, when we applied the same changes in our QA Enviroment and we didn't had that issue, as a matter of fact, we checked if IIS in both enviroments had a different configuration, still, the configuration was the same in both enviroments. If we reverse the change and enable all of the Crypto algorithms, the problem dissappears
IIS Authentication
We also checked our Web.config in order to check if the authentication methods on both environments was different, however, both lines are exactly the same
<authentication mode="Forms">
<forms timeout="20" loginUrl="Login.aspx" defaultUrl="Login.aspx" requireSSL="true" />
</authentication>
<authorization>
<deny users="?" />
<allow roles="Admin, User" />
</authorization>
Can anybody help us out here with this issue? none of the workarounds and solutions we have looked for have worked or they don't apply (Mainly because we do not use Windows Authentication in our website)
Thanks in advance
EDIT: Anonymous Authentication has the same configuration on both sides
I solved the issue, I needed to first update the servers to the last Windows security update! after that, everything worked fine!

There is no endpoint listening error when a WCF service is hosted on IIS

I have a MVC page which consumes a WebService over SSL. The certificate is installed and when the application is running its able to detect the certificate.
The problem is this codes works perfectly fine in my local machine while i try to call the MVC page hosted.
But when MVC page hosted in server is called it throws an error:
There was no endpoint listening at https:// that could accept the message. This is often caused by an incorrect address or SOAP action.
I found out the issue was indeed with the App Pool identity. When I changed it to run with my credentials it solved the problem. But i cannot do this in production environment.
I need to make it work with Identity : Network Service in IIS App pool.
I have tried giving permission to certificate using winhttpcertcfg for network service and that also didn't help.
Not sure what is missing.
Thanks in Advance.
adding this solved my problem:
<system.net> <defaultProxy useDefaultCredentials="true" enabled="true"> <proxy usesystemdefault="True" proxyaddress="myproxyserver:port"; bypassonlocal="False"/> </defaultProxy> <settings> <servicePointManager expect100Continue="false" /> <ipv6 enabled="true"/> </settings> </system.net>

What's the difference in WCF between Ntlm and NTLM, and how can I fix it?

I've got a WCF service that's running on IIS 6, with integrated authentication and impersonation using NTLM.
Relevant portions of Web.Config
<system.web>
<identity impersonate="true"/>
<customErrors mode="Off"></customErrors>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
...
</system.web>
...
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
</wsHttpBinding>
I just added the aspNetCompatibility because I want to know who the user is that's logged in (at least as far as IIS is concerned). From the few searches I've done that's how you get the user.
Well, after adding that line and publishing my server I get what's possibly the stupidest error I've seen:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.
I thought, "Well obviously they're doing a very case-sensitive comparison." So I searched my entire client solution for Ntlm and replaced all non-variable occurrences with NTLM. No luck.
My primary goal, of course is to get whatever user was authenticated through IIS+NTLM. If I'm going about it the wrong way, I'd be happy to know of an easier/better way. Otherwise, how do I tell my client (or my server) that it's OK to go ahead and authenticate?
One other possibility if you are running across this error is that you are experiencing an issue with the loopback check with NTLM. I have a service which runs self-contained on a non-domain (workgroup) server. WCF is configured using BasicHttpBinding with Transport security mode and Ntlm client credentials. When trying to access the service using https://servername it works great. If I try to access it using the FQDN (https://servername.domain.com) it fails with the same error:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.
If you look inside the Windows security log you will see an Audit Failure with event ID 4625. In this you will see the following failure information:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
To resolve this you need to either add the back connect host names (preferred) or disable the loopback check. This was a security enhancement added for NTLM in Windows Server 2003 SP1 and later to close out an attack vector against the protocol. The fix, however, causes a lot of unclear error messages like this one from WCF and continues to haunt me in many obscure ways to this day.
Start Here . This should resolve your issue

setting a WCF service on a http when its already configured for https

We have a service on our 3rd party site which is configured to be invoked on a https (server to firewall and routing everything is configured for https)! Since We are unable to communicate with it due to certificate issue with DataPower on our side, we thought why not test the connectivity on http!
So now they trying to make the WCF Service as http on the same IP and port, they could see the Service not responding to inbound calls and ignoring the http request coming on a https configured IP + port!
I am not sure what can be done to say the .net WCF Service, hey ignore its on http and just get it rolling! They did disable https binding and just try with a http binding!
Any ideas would be great! Thanks!
(P.S. I dont have access to their code or config!)
Is is IIS hosted or self hosted?
If it is hosted in IIS, then IIS needs to have the SSL certificate removed and the configuration set to HTTP instead of HTTPS.
In WCF, you would have to disable Transport security, which is usually in the configuration on the binding, like:
<binding>
<security mode="Transport">
To disable HTTPS you would need to set mode="None" (or something other than Transport).
This worked for me... Adding this to webconfig or appconfig of the project
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>

WCF Http Bindings, Require SSL

I have the following binding I'm using with my wsHttpBinding webservice.
<binding name="wsHttpConfig">
<security>
<transport clientCredentialType="None"/>
</security>
</binding>
The issue is that it allows for the client to connect using either Http or Https. I would like to require them to use SSL. I tried adding the following:
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true"
requireSSL = "true"/>
</webServices>
</scripting>
</system.web.extensions>
But it had no effect; client could still connect with Http. I then tried checking the "Require SSL" in the IIS7 SSL Settings and had client certificates radio set to Accept. Now, when I try to view the service I am getting the error "Could not find a base address that matches scheme http for the endpoint with binding WSHttpBinding. Registered base address schemes are [https]."
Anyone know exactly how to fix this error? I have been googling for the last 3 hours trying 500 different combinations (not 500, but too many to list) and could not get anything to run.
For anyone stumbling across this one from Google, Bing (Bingle, Yangle?) then take a look at a blog post a put together to help others trying to run a secure AuthenticationService in a test environment.
http://www.lukepuplett.com/2010/07/setting-up-wcf-over-ssl-on-iis-7x.html
And good luck!
Have you read this msdn post?
You must either change
binding="mexHttpBinding"
to
binding="mexHttpsBinding"
or else add an http base address in addition to the https base address. (Right now the metadata endpoint is trying to get hosted on http, rather than https, and there's no base address for that.)
Have you correctly configured your endpoint?
Have you tried dynamically configuring the base address?