Adding client certificate authentication to a web application can enable some interesting scenarios, e.g.
- multi-factor authentication (something you have: a certificate / something you know: a password)
- restrict access to an application to selected hardware where the cert is installed. You maybe want to prevent that your users login using a computer in an internet cafe (with possible keyloggers etc. installed). Certificates on the client can be marked as “non-exportable”
- You can map the certificate to Active Directory accounts, either via configuration or by pulling out the UPN from the cert and getting a Protocol Transition token. This enables scenarios where clients connect over the internet and you “convert” their certificate to a Kerberos credential.
- You can encrypt data on the server using the client’s public key transmitted during the SSL handshake.
Unfortunately, the documentation on using client certificates with IIS6 is a little – well – sketchy.
I had some issues – here’s a quick walkthrough
First enable and require SSL for the application and require client certs (this is done in the IIS directory security dialog). Then issue a certificate to the user.
If you browse to the application, IE sends the “right” client cert auto-magically to the server and if it is valid, IIS lets the request through to the application where you can access the cert using Request.ClientCertificate.
But what is the “right” certificate?
During the SSL handshake the web server sends a list of allowed root CAs to the browser. The client cert has to be issued from one of these CAs. If IE finds a certificate issued by one of the allowed CAs he automatically sends it to the server. If IE finds multiple suitable certificates, you get a dialog box where you can choose the cert to use for authentication.
…and what are allowed CAs?
The CA cert on the server must have an intended purpose of “Client Authentication”. And that’s what bit me – I requested a test cert from the german TrustCenter CA – but it didn’t show up in IE’s certificate selection dialog. Test certs from TrustCenter are issued from the “TC TrustCenter Class 1 CA” (and this CA is trusted by Windows 2003). I guess because this CA is only used for test certs the “Client Authentication” intended purpose is not enabled by default. To enable it – navigate to the Trusted CA container in the certificate MMC snapin – right click – properties – and enable “Client Authentication”.
Now IE also allows you to select the cert from this CA.
Thanks to Andreas Klein from Microsoft Germany for helping me with this issue.