可以在 web.config 中配置客户端证书设置吗 [英] Can Client certificate settings be configured in the web.config

问题描述

我正在使用 SSL 应用程序，并且想要控制忽略、要求或接受客户端认证的文件夹.

I'm working with an SSL application and am wanting to control which folders ignore, require or accept client certifications.

最终目标是让 webApp 的子文件夹忽略客户端认证.我不想通过 IIS 执行此操作，因为它必须在整个 Web 场中复制.

The end goal is to have a sub-folder of the webApp ignore client certification. I do not want to do this via IIS because it will have to be replicated across the entire web farm.

有什么想法吗?

推荐答案

您可以结合使用 access 部分和 web.config(或适当子目录中的 web.configs)中的 locations 来配置它.

You can use a combination of the access section and locations in web.config (or web.configs in the appropriate subdirectories) to configure this.

例如，要在目录 Interface 中要求 SSL 证书，您可以将以下块添加到 web.config 的配置部分:

For example, to require an SSL certificate in the directory Interface, you can add the following block to your web.config's configuration section:

  <location path="Interface">
    <system.webServer>
      <security>
        <access sslFlags="Ssl,SslRequireCert" />
      </security>
    </system.webServer>
  </location>

注意:正如@Jonathan DeMarks 在他的评论中所述，我还需要包含 SslNegotiateCert 以使其工作(使用 IIS 8.5 和 Chrome).所以我的工作配置是:sslFlags="Ssl,SslRequireCert,SslNegotiateCert"事实上，我收到一个错误，指出我指定了 SslRequireCert，但我本可以使用 SslNegotiateCert.

NOTE: as @Jonathan DeMarks stated in his comment, I've also needed to include SslNegotiateCert to get it to work (with IIS 8.5 & Chrome). So the working config for me is: sslFlags="Ssl,SslRequireCert,SslNegotiateCert" In fact I got an error stating that I was specifying SslRequireCert but I could meant to use SslNegotiateCert.

请注意，如果您想要使用 Ssl，则必须添加它和相应的证书标志.

Note that if you want to require Ssl, you have to add it and the appropriate certificate flag.

technet 文档中的标志值是:

The flag values from the technet documentation are:

没有.此默认设置禁用站点或应用程序的 SSL.

None. This default setting disables SSL for the site or application.

SSL.网站或应用程序需要 SSL.

Ssl. The site or application requires SSL.

SslNegotiateCert.站点或应用程序接受客户端证书进行身份验证.

SslNegotiateCert. The site or application accepts client certificates for authentication.

SslRequireCert.站点或应用程序需要客户端证书进行身份验证.ssl128.站点或应用程序需要 128 位 SSL 证书加密.

SslRequireCert. The site or application requires client certificates for authentication. Ssl128. The site or application requires 128-bit SSL certificate encryption.

无论如何

access 部分默认不能被覆盖.

The access section cannot be overriden by default.

为了支持这一点，您必须修改 C:WindowsSystem32inetsrvconfig(或适合您的安装目录)中的 applicationHost.config 并更改以下行:

In order to support this, you must modify applicationHost.config in C:WindowsSystem32inetsrvconfig (or appropriate directory for your install) and change the following line:

<section name="access" overrideModeDefault="Deny" />

到:

<section name="access" overrideModeDefault="Allow" />

这篇关于可以在 web.config 中配置客户端证书设置吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！