New Message Search Latest Redo
Web Connection
Client Certificate info not available
Gravatar is a globally recognized avatar based on your email address. Client Certificate info not available
  Craig Franklin
  All
56G09Q4DT
  Apr 16, 2018 @ 04:32am
Reply

I was hoping to leverage GetClientCertificate() to provide more security around user authentication, but I don't see any of the ClientCert variables in the ServerVariables of the request. We are using https to connect. Do I need to enable IIS client certificate authentication to see the ClientCert variables?

Gravatar is a globally recognized avatar based on your email address. re: Client Certificate info not available
  Rick Strahl
  Craig Franklin
56G0RN9U6
  Apr 16, 2018 @ 12:53pm
Reply

Not sure - those values should show up. Make sure you're using the .NET Module which will give you back all the server variables that IIS publishes. The ISAPI extension only publishes certain things and I'm pretty sure it doesn't capture all the client cert vars unless you explicitly add them.

Second, the request has be sending the cert 😃 - so this doesn't happen automatically.

Honestly I'm not all that familiar with the whole Client Cert process because it's rarely the right choice for securing connections. HTTPS is for transport security not for ensuring authentication, so in my view that's mixing concerns. Plus it's a PITA to configure and use client certificates on Windows that I think it's never worth the hassle of dealing with them.

If you have more specific information I can take a look but without that I'm not even sure what exactly is required to make this work properly. All I know is that IIS should provide the right info and the .NET Module forwards all that info into your Web Connection request data. If it's not there either the cert wasn't sent or the certs aren't validated on the server (the latter of which is a config issue).

Sorry I can't be of more help with this.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Client Certificate info not available
  Craig Franklin
  Rick Strahl
56G0UZHUG
  Apr 16, 2018 @ 02:27pm
Reply

Thanks for the prompt response Rick. I am using the ISAPI extension so I will further investigate your comment about "it doesn't capture all the client cert vars unless you explicitly add them".

I'm looking to incorporate some type of client/device identification checking (in addition to the IP address) to prevent session hijacking, and was hoping the client cert info may assist in this regard.

Gravatar is a globally recognized avatar based on your email address. re: Client Certificate info not available
  Rick Strahl
  Craig Franklin
56G0X3B4M
  Apr 16, 2018 @ 03:26pm
Reply

Yes the ISAPI module doesn't have a way to iterate all the variables that IIS makes available. I occasionally review what IIS publishes and add the ones that are important, but there are a still many obscure headers that don't get added.

You can use the [Extra Server Variables] section in wc.ini to add additional variables.

; Add any extra HTTP Server variables that you 
; want to include your request. Handles custom
; vars than defaults.  var1,var2,var3 etc as key names
[Extra Server Variables]
var1=LOCAL_ADDR
var2=APPL_MD_PATH

If at all possible you should switch to use the .NET Module. Lots of extra features and better overall stability especially in recent versions of Windows Server (2012+).

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Client Certificate info not available
  Rick Strahl
  Craig Franklin
56G132V6S
  Apr 16, 2018 @ 06:13pm
Reply

I was working through some other issues in ISAPI today and while I was digging through the C++ code I took a quick look at what ISAPI returns. As far as I can tell ISAPI returns ALL the CERT_ flags that IIS publishes. You do need a reasonably recent version of the ISAPI DLL for these vars to all be there though - these were added sometime in V5.50 or so I believe.

These are the keys that I pull in the ISAPI handler:

	GetVarAndWritePostKey(pParam,
		TEXT("CERT_FLAGS"), TEXT("CERT_FLAGS"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_COOKIE"), TEXT("CERT_COOKIE"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_SERIALNUMBER"), TEXT("CERT_SERIALNUMBER"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_ISSUER"), TEXT("CERT_ISSUER"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_KEYSIZE"), TEXT("CERT_KEYSIZE"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_SECRETKEYSIZE"), TEXT("CERT_SECRETKEYSIZE"));
	GetVarAndWritePostKey (pParam, 
                       TEXT("CERT_SERIALNUMBER"), TEXT("CERT_SERIALNUMBER"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_SERVER_SUBJECT"), TEXT("CERT_SERVER_SUBJECT"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_SERVER_ISSUER"), TEXT("CERT_SERVER_ISSUER"));
	GetVarAndWritePostKey(pParam,
		TEXT("CERT_SUBJECT"), TEXT("CERT_SUBJECT"));

according to the documentation of available vars that's everything:

https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx

But while I was here I added a few additional keys like the APP_POOL_ID (which is actually handy internally) and SCRIPT_TRANSLATED.

+++ Rick ---

© 1996-2024