Our aim is to host an ASP.NET Core 9.0 web site on IIS and to use client certificate for authentication. The ASP.NET Core web app is working well: when running directly from Kestrel, everything works as expected, ie, the user is prompted to choose a valid certificate that will be used to authenticate her.
The doc says that IIS configuration is limited to 3 steps:
- Select site from the connections tabs
- Double click SSL settings option
- click the require ssl checkbox and select the require radio button in the client certificates section
Unfortunately, it doesn't work. We've activated Failed Requests Tracing and with that config, the ASP.NET Core Module will always terminate the request with the request is not supported error:
Notice that the end user will always end up seeing a 500 error page and doesn't event get a chance to choose the certificate that will be used for authentication.
So, in order to make thinks simple, we've decided to remove the aspnet core app from the equation and have a simple site, with a single index.html page, and see if at least we can configure it so that the browser lets the user choose a certificate.
We've activated only the https binding on the site:
And have also changed the default SSL settings:
We've also activated Failed request tracing in order to get more info about what's going on. This initial config ended up with the traditional 500 error:
And here is the output of the failed request tracing file:
After some more digging, we've also found this post. Once more, we've updated our web.config so that it looked like this (we had to unlock the authentication subsections at the root level):
<security> <authentication> <anonymousAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="true" /> </authentication> </security> The results are still the same. So, we've went ahead and add a mapping from a certificate to an existing user (we've used IIS manager in order to get things right):
<security> <authentication> <anonymousAuthentication enabled="false" /> <windowsAuthentication enabled="false" /> <iisClientCertificateMappingAuthentication enabled="true"> <oneToOneMappings> <add userName="XXX" password="[enc:IISCngProvider:wX....]" certificate="MIIFTDCCBDSgAwIBAgITdQAAEJsn8Q3PLgZ4iwAAAAAQm..." /> </oneToOneMappings> </iisClientCertificateMappingAuthentication> </authentication> </security> Once more, still doesn't work (ie, the user never gets a change to choose a certificate). After some more digging, we've found some posts that say that windows auth must be enabled in order for it to work. So we've activated it:
<windowsAuthentication enabled="true" /> But no, still not working. Loading the page never gives me the chance to choose a certificate.
So, can anyone point me to valid doc which shows how to configure IIS to require that client presents a certificate when navigating to a web site?
