IIS是否需要SSL客户端证书而不将其映射到Windows用户?
jle*_*lew 2 asp.net authentication iis ssl client-certificates
我希望能够将SSL客户端证书映射到ASP.NET Identity用户.我希望IIS尽可能多地完成工作(协商客户端证书并可能验证它是否由受信任的CA签名),但我不希望IIS将证书映射到Windows用户.客户端证书将传递到ASP.NET,在ASP.NET中检查并映射到ASP.NET Identity用户,该用户将变为ClaimsPrincipal.
到目前为止,我能够让IIS将客户端证书传递给ASP.NET的唯一方法是启用iisClientCertificateMappingAuthentication并设置到Windows帐户的多对一映射(然后从不用于其他任何东西.如果没有这个配置步骤,有没有办法让IIS协商并通过证书?
您不必使用iisClientCertificateMappingAuthentication.客户端证书可在HttpContext中访问.
var clientCert = HttpContext.Request.ClientCertificate;
您可以在整个站点上启用RequireClientCertificate,也可以使用单独的login-with-clientcertificate页面.
下面是在ASP.NET MVC中执行此操作的一种方法.希望您可以使用它的一部分来满足您的具体情况.
- 首先确保允许您通过启用功能委派来在web.config中设置SslFlags.
使网站接受(但不要求)客户端证书
设置login-with-clientcertificate-page的路径,其中需要客户端证书.在这种情况下,用户控制器具有CertificateSignin操作.
创建登录控制器(伪代码)
Run Code Online (Sandbox Code Playgroud)[OutputCache(NoStore = true, Duration = 0, VaryByParam = "*")] [AllowAnonymous()] public ActionResult CertificateSignIn() { //Get certificate var clientCert = HttpContext.Request.ClientCertificate; //Validate certificate if (!clientCert.IsPresent || !clientCert.IsValid) { ViewBag.LoginFailedMessage = "The client certificate was not present or did not pass validation"; return View("Index"); } //Call your "custom" ClientCertificate --> User mapping method. string userId; bool myCertificateMappingParsingResult = Helper.MyCertificateMapping(clientCert, out userId); if (!myCertificateMappingParsingResult) { ViewBag.LoginFailedMessage = "Your client certificate did not map correctly"; } else { //Use custom Membersip provider. Password is not needed! if (Membership.ValidateUser(userId, null)) { //Create authentication ticket FormsAuthentication.SetAuthCookie(userId, false); Response.Redirect("~/"); } else { ViewBag.LoginFailedMessage = "Login failed!"; } } return View("Index"); }
| 归档时间: |
|
| 查看次数: |
4313 次 |
| 最近记录: |