Programatically set a binding to require client certificate negotiation in iis

Asked 10/8, 2011 at 12:46 Answered 16/2, 2012 at 16:14

How can I achieve the equivalent of setting clientcertnegotiation=enable with netsh from an application using C# (without execing a command line).

netsh http add sslcert ipport=0.0.0.0:8000 certhash=2064a43f429fe97746ce0c1c9adcd4ea93415f6d appid={4dc3e181-e14b-4a21-b022-59fc669b0914} clientcertnegotiation=enable

The following code sucessfully adds the cert

using (var manager = new ServerManager())
        {
            var siteBindings = from s1 in manager.Sites
                               from b1 in s1.Bindings
                               where b1.Protocol.Equals("https")
                               select new {SiteName = s1.Name, Binding = b1};

            foreach (var siteBinding in siteBindings)
            {
                siteBinding.Binding.CertificateHash = cert.GetCertHash();
            }

            // This is correctly setting the values on the Ssl Cert configuration section in IIS
            var config = manager.GetApplicationHostConfiguration();
            var accessSection = config.GetSection("system.webServer/security/access", "WebActivationService");
            accessSection["sslFlags"] = @"Ssl, SslRequireCert";

            manager.CommitChanges();
        }

but running netsh http show sslcert will show that it unsets Negotiate Client Certificate

IP:port                 : 0.0.0.0:8000
Certificate Hash        : 2064a43f429fe97746ce0c1c9adcd4ea93415f6d
Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name  : MY
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout   : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

deleting and re-creating the binding has the same effect

Doolie answered 10/8, 2011 at 12:46 Comment(0)

from windows server 2003 + the following can be used:

ULONG HttpSetServiceConfiguration(
  __in  HANDLE ServiceHandle,
  __in  HTTP_SERVICE_CONFIG_ID ConfigId,
  __in  PVOID pConfigInformation,
  __in  ULONG ConfigInformationLength,
  __in  LPOVERLAPPED pOverlapped
);

http://msdn.microsoft.com/en-us/library/windows/desktop/aa364503(v=vs.85).aspx

Doolie answered 16/2, 2012 at 16:14 Comment(0)

to me it seems that are missing some essential settings... for a code sample regarding how to do this with some explanation see http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication#006

Regardful answered 10/8, 2011 at 13:11 Comment(2)

This particular example only shows how to do IIS based certificate mapping, which is different than asking for client authentication. – Car 10/8, 2011 at 16:2

when I configure through netsh these settings don't seem to be altered - does one override the other or are they independent? – Doolie 11/8, 2011 at 11:54

You want to enable client certificate checking using the example described in https://www.iis.net/ConfigReference/system.applicationHost/sites/site/ftpServer/security/sslClientCertificates.

You need to set clientCertificatePolicy to CertRequire in order to fail non-client authenticated connections. Depending on whether you want to map the certificate to actual Windows user, you need to set useActiveDirectoryMapping to the proper value.

Car answered 10/8, 2011 at 16:4 Comment(2)

that seems to be ftp specific whereas it is actually a web service that is operating on the port in this case. and setting through netsh doesn't seem to update any settings here - are they somehow independent of one another? – Doolie 11/8, 2011 at 11:53

Looking at the docs, it should apply to HTTP as well, since they share the same settings container. I don't know if FTP is configured through netsh, but if it is, then the same should work. – Car 11/8, 2011 at 23:40

Recommended topics

Hot tags