ASP.NET MVC - How to enable/disable CaC/Client Certificate authentication per area or route.

By -

Use Case

Typically, when you enable CaC/Client Certificates on a web app you enable it for the entire app. But what if you wanted to disable it for certain sections of the site. For example, an API controller, or a specific Area that hosts pages that can be publicly viewed.

Luckily, it's very easy to make this happen. I'll walk through an example that requires CaC authentication for the base app but does not require it to make requests on an API controller, which will use leverage the HTTP Authentication header for auth. 


1. Modify the web.config

To require client certs for the base app, add this snippet inside the <system.webServer> tag.

    <!-- Access for the Base App -->
    <security>
        <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
    </security>

Now we can selectively disable client certs for specific sections of the app. In this case, I am disabling it for all routes starting with /api/v1. (I am still requiring SSL)

  <location path="api/v1">
    <system.webServer>
      <security>
        <access sslFlags="Ssl"/>
      </security>
    </system.webServer>
  </location>

2. Ensure your routes match the location defined in the web.config

In my case, I just added a RoutePrefix to my API controller that matched the path in the <location> tag above. You could also create an Area and use <location path="AreaName"> to isolate the entire area instead of relying on attribute routes. 


3. Allow the <access> node to be overridden in the web.config

In a default IIS configuration, following the first 2 steps should result in a 500 error when running the app. This is because the <access> section is locked at the IIS level and thus can't be overridden at the application level. Let's change that.



If you have access to the IIS GUI you can unlock the section by following these steps...


1. Navigate to the IIS Configuration Manager



2. Locate the access section under Security



3. Click the unlock section link so that it changes to "lock section". The access section is now unlocked and can be overridden at the application level. 



The alternative is to directly edit the applicationHost.config xml file. It is usually located at 
C:\Windows\System32\inetsrv\config.

Locate the name="access" node under the security sectiongroup and change overrideModeDefault="Deny" to overrideModeDefault="Allow"



There you have it. I hope this helps!

Comments

Post a Comment

Popular posts from this blog

ASP.NET Identity Remember Me

By -
ASP.NET Identity comes with a built-in Remember Me feature on the Login form, it's supposed to keep a user logged in (via an authentication cookie) for a predetermined period of time set via your code settings. However it sometimes might not work as expected and users will have to frequently log in which will cause quite a bit of frustration. Your first reaction is to modify your code then test / rinse / repeat and possibly still see the same unsuccessful results ... did you also check your website's IIS settings? Code Settings Let's first take a look at the Code configuration settings. If you create a new default MVC 5.x application in Visual Studio (with Authentication set to  Individual User Accounts ) the following code is generated (in  /App_Start/Startup.Auth.cs ): app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login"), Provi
Read more

IIS Express Client Certificates

By -
We recently had to investigate how to  CAC -enable a web application, one of the challenges was setting up a proper development environment to prototype & test code changes before deploying to other environments. STEP 1  - You need to have a client certificate installed on your development machine. Assuming you don't have a readily available CAC or Smart Card, you can either  create a self-signed certificate  OR for this example we just used a  corporate outlook email client certificate (used to sign & encrypt emails).   Note : The certificate should be available in your web browser. For IE go to  Internet Options > Content > Certificates  to view all your certificates. In Chrome, go to  Settings > Show advanced settings > HTTPS/SSL > Manage certificates . STEP 2  - Using Visual Studio, create a default ASP.NET MVC 5 web application. STEP 3  - Enable SSL for your project. In Visual Studio, hit  F4  to open Project Properties and set   SSL Enabled   to   T
Read more