IIS是否需要SSL客户端证书而不将其映射到Windows用户? [英] Can IIS require SSL client certificates without mapping them to a windows user?
问题描述
我希望能够将SSL客户端证书映射到ASP.NET Identity用户。我希望IIS尽可能多地完成工作(协商客户端证书并确认它是由受信任的CA签名),但我不希望IIS将证书映射到Windows用户。客户端证书被传递到ASP.NET,在那里它被检查并映射到ASP.NET身份用户,该用户被转换为ClaimsPrincipal。
I want to be able to map SSL client certificates to ASP.NET Identity users. I would like IIS to do as much of the work as possible (negotiating the client certificate and perhaps validating that it is signed by a trusted CA), but I don't want IIS to map the certificate to a Windows user. The client certificate is passed through to ASP.NET, where it is inspected and mapped to an ASP.NET Identity user, which is turned into a ClaimsPrincipal.
到目前为止,我能够让IIS将客户端证书传递给ASP.NET的唯一方法是启用 iisClientCertificateMappingAuthentication 并设置到Windows的多对一映射帐户(然后从不用于其他任何东西。)有没有办法让IIS在没有这个配置步骤的情况下协商并传递证书?
So far, the only way I have been able to get IIS to pass the client certificate through to ASP.NET is to enable iisClientCertificateMappingAuthentication and set up a many-to-one mapping to a Windows account (which is then never used for anything else.) Is there any way to get IIS to negotiate and pass the certificate through without this configuration step?
推荐答案
您不必使用iisClientCertificateMappingAuthentication。客户端证书可在HttpContext中访问。
You do not have to use the iisClientCertificateMappingAuthentication. The client certificate is accessible in the HttpContext.
var clientCert = HttpContext.Request.ClientCertificate;
要么在整个站点上启用RequireClientCertificate,要么使用单独的 login-with-clientcertificate page。
Either you enable RequireClientCertificate on the complete site or use a separate login-with-clientcertificate page.
以下是在ASP.NET MVC中执行此操作的一种方法。希望你可以使用它的一部分来适应你的确切情况。
Below is one way of doing this in ASP.NET MVC. Hopefully you can use parts of it to fit your exact situation.
- 首先确保你可以在web.config中设置SslFlags打开功能委派。
-
使网站接受(但不要求)客户证书
Make site accept (but not require) Client Certificates
设置login-with-clientcertificate-page的路径,其中需要客户端证书。在这种情况下,用户控制器具有CertificateSignin操作。
Set path to login-with-clientcertificate-page where client certificates will be required. In this case a User controller with a CertificateSignin action.
创建登录控制器(伪代码)
Create a login controller (pseudo-code)
[OutputCache(NoStore = true, Duration = 0, VaryByParam = "*")]
[AllowAnonymous()]
public ActionResult CertificateSignIn()
{
//Get certificate
var clientCert = HttpContext.Request.ClientCertificate;
//Validate certificate
if (!clientCert.IsPresent || !clientCert.IsValid)
{
ViewBag.LoginFailedMessage = "The client certificate was not present or did not pass validation";
return View("Index");
}
//Call your "custom" ClientCertificate --> User mapping method.
string userId;
bool myCertificateMappingParsingResult = Helper.MyCertificateMapping(clientCert, out userId);
if (!myCertificateMappingParsingResult)
{
ViewBag.LoginFailedMessage = "Your client certificate did not map correctly";
}
else
{
//Use custom Membersip provider. Password is not needed!
if (Membership.ValidateUser(userId, null))
{
//Create authentication ticket
FormsAuthentication.SetAuthCookie(userId, false);
Response.Redirect("~/");
}
else
{
ViewBag.LoginFailedMessage = "Login failed!";
}
}
return View("Index");
}
这篇关于IIS是否需要SSL客户端证书而不将其映射到Windows用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
