IIS: Handling WCF Client Certificate

WCF - TRANSPORT SECURITY – IIS - HANDLING CLIENT CERTIFICATES

1:1 Mapping -2003

Performs the client certificate authentication and maps it to windows account.

Once the client certificate is mapped, it is authorized based on the windows account / identity associated with it.

 

Requirement:

  1.        Client certificate with Public key – so that it can be attached to user Identity.
  2.        Windows identity – which will be used to authorize the access to the service / application.

 

Steps

IIS -> Web Site -> Properties -> Directory Security -> Secure Communication - > Enable client certificate mapping

 

Add -> Select the certificate with Public key (.cer, .crt, .spc, .key) -> Give a name and identity

 

 

Many to 1 mapping - 2003

 Good feature: Enable Wild Card Client certificate mapping.

 

We can define set of rules here with some specified criteria to allow or bock list of certificates.

So, if the certificate passes all the rules, the request is allowed to enter in the service.

 

 

 

  

In many to one mapping also, when we need to set accept this certificate option again, we have to specify the windows account or valid identity to handle Many to one mapping.

Refuse Access option does not require any identity, IIS will reject it directly.

 

IMPORTANT

if your users authenticated with a Windows user credential at your WCF service, you'll be able to find their credentials under

ServiceSecurityContext.Current.WindowsIdentity

            

if your users authenticated with a certificate, you'll find their identity (which is going to be a CertificateIdentity instead of a WindowsIdentity) under

ServiceSecurityContext.Current.PrimaryIdentity

              

Current.PrimaryIdentity can be used to obtain the Mapped identity of the incoming client certificate and can be used for further authorization in service.

 

All incoming client certificates are first tried to mapped at IIS level.

If the mapping is not present than these certificate it will fall back to Authentication scheme – Anonymous needs to be set on IIS.

Because of Anonymous authentication scheme all the request will be allowed inside - as Anonymous.

 

But these request can be handled inside the WCF code using the Certificate custom validator https://msdn.microsoft.com/en-us/library/ms733806.aspx

 

I hope this helps in handling client certificates on IIS and inside WCF service.