I'm trying to figure out how to set up my Azure Web App to require client certification. The idea is to force the client's browser to send a SSL certificate (that's installed on their machine) to the web app. The web app then validates attributes in the certificate to make sure the client is authorized to access the web app.
The purpose is to enhance the security of our web app since user cannot login from a device that doesn’t have the SSL cert explicitly installed (even if they have the username/password somehow).
I'm not sure where I should begin with this. I understand SSL handshakes and the highlevel concepts but I don't really understand how to implement this in my current ASP.NET MVC web app. A tutorial that would point me in the correct direction would really help out. Or even the steps required to achieve this as I am not sure where to begin (setting up SSL certificate with IIS? Getting client to send the SSL certificate? Where did the certificate come from?) All of these questions...
UPDATE: I found this article:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
But I don't know where to begin...
Related
I'm working on securing some Azure Functions endpoints. I tried with Certificate, but I hit a few walls
In the FunctionsStartup (from which derives my startup) I could not find a way to connect my AddAuth and Auth methods/classes. (I tried to search, read more on this topic, but all the answers were either for web API other type of Authentications)
I tried to check for the existence of a certificate at least, but that didn't worked either. I tried to get the certificate from request-context-connection-ClientCertificate or to read it from headers. Didn't worked locally or on deployed version. The certificates are always null.
I saw that there are some options to secure it with AD(also with facebook, google and so on), but first I'm curious if someone successfully implemented another Auth method, more like in a classic web api approach (JWT tokens, certificate, other similar stuff)
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
Also you can request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication.
First, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier.
Secondly, enable client certificates:
az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>
Finally, Access client certificate. App Service injects an X-ARR-ClientCert request header with the client certificate. Your app code is responsible for validating the client certificate.
For more details about how to configure TLS mutual authentication for Azure App Service, please refer to this article.
I have an ASP.NET MVC web application that I deployed to Microsoft Azure as a Web App. In that application I have some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate.
I know there is a possibility to set up the Azure Web App to require client certificate through a HTTPS connection. But if I make the mentioned REST API call
ARMClient PUT subscriptions/{Subscription Id}/resourcegroups/{Resource Group Name}/providers/Microsoft.Web/sites/{Website Name}?api-version=2015-04-01 #enableclientcert.json -verbose
that will cause that only those users can visit my site and use the Web API endpoints who has client certificates.
If I open my locally installed IIS Manager, I will have an option to Accept client certificates, not to require them, as you can see in this image:
My question is how can I set up my Azure Web App to accept (not require) client certificates? I searched over this site and many other forums, but I cannot find a way to set up Web Apps in this way.
Update:
My question is how can I set up my Azure Web App to accept (not require) client certificates?
It seems that it is not supported on azure now. I also find the support optional client certificates for TLS mutual auth feedback. And now it is underview by Azure team. You also can vote it up.
We also could remote to the Azure website using IIS Manager to set up it, you could get the detail steps from this blog.
**Prerequisites**
>On Window client OS - [IIS Manager for Remote Administration][3]
>On Windows Server – Make sure you have installed IIS Management Console.
Refer to step 6 in http://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7 - “IIS Management Console” is the required feature.
I already have an existing LAMP application. I am going to integrate a 3rd part API which uses C#, so I'm planning to create a Web API for them to be connected. No other website will connect to the web API other than the LAMP app. How do I make a secure connection from my LAMP app to the web API? Thanks.
If it is just API calls and nothing dealing with interfaces you can use Encrypted WebSockets or create your Authorization headers... which could be a bit of work and would only work between the those two applications.
The most secure way to lock them up is a combination of a secure HTTP request (HTTPS) coupled with a Client Certificate.
All of these things are quite a tall order; you're best bet is to just get/create a half-way decent SSL certificate and use BASIC authentication. Your authorization headers will be encrypted. Even a self-signed certificate would work; make sure to research on how to make a self-signed certificate the most secure it can be. Also your LAMP server will likely make use of cURL to send the requests to the C# server, you'll want to make use of the curl -k option if you're going to be using a self-signed cert.
I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)
I have a web service and I want to call it from https. What is the solution?
This work for http.
Since I have a pretty good background in server setup, I will try and tackle this question.
First off, you need to set up SSL on your website. This involves buying a SSL Certificate or self signing one. Once you have a SSL certificate you need to set up your server to use it and serve your website through SSL.
As for you web code, the service you are hosting will work just fine under SSL as without. You will just have to change how you call it to use https:// instead of http://.
If you are trying to secure sensitive data you may want to set up your web server to redirect all non SSL requests to the the same path but under SSL by changing http:// in the path to https://. Any decent server administrator should know how to do this.