Set up Azure Web App to accept client certificates - c#

I have an ASP.NET MVC web application that I deployed to Microsoft Azure as a Web App. In that application I have some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate.
I know there is a possibility to set up the Azure Web App to require client certificate through a HTTPS connection. But if I make the mentioned REST API call
ARMClient PUT subscriptions/{Subscription Id}/resourcegroups/{Resource Group Name}/providers/Microsoft.Web/sites/{Website Name}?api-version=2015-04-01 #enableclientcert.json -verbose
that will cause that only those users can visit my site and use the Web API endpoints who has client certificates.
If I open my locally installed IIS Manager, I will have an option to Accept client certificates, not to require them, as you can see in this image:
My question is how can I set up my Azure Web App to accept (not require) client certificates? I searched over this site and many other forums, but I cannot find a way to set up Web Apps in this way.

Update:
My question is how can I set up my Azure Web App to accept (not require) client certificates?
It seems that it is not supported on azure now. I also find the support optional client certificates for TLS mutual auth feedback. And now it is underview by Azure team. You also can vote it up.
We also could remote to the Azure website using IIS Manager to set up it, you could get the detail steps from this blog.
**Prerequisites**
>On Window client OS - [IIS Manager for Remote Administration][3]
>On Windows Server – Make sure you have installed IIS Management Console.
Refer to step 6 in http://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7 - “IIS Management Console” is the required feature.

Related

Azure functions Authentication - possible without AD?

I'm working on securing some Azure Functions endpoints. I tried with Certificate, but I hit a few walls
In the FunctionsStartup (from which derives my startup) I could not find a way to connect my AddAuth and Auth methods/classes. (I tried to search, read more on this topic, but all the answers were either for web API other type of Authentications)
I tried to check for the existence of a certificate at least, but that didn't worked either. I tried to get the certificate from request-context-connection-ClientCertificate or to read it from headers. Didn't worked locally or on deployed version. The certificates are always null.
I saw that there are some options to secure it with AD(also with facebook, google and so on), but first I'm curious if someone successfully implemented another Auth method, more like in a classic web api approach (JWT tokens, certificate, other similar stuff)
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
Also you can request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication.
First, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier.
Secondly, enable client certificates:
az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>
Finally, Access client certificate. App Service injects an X-ARR-ClientCert request header with the client certificate. Your app code is responsible for validating the client certificate.
For more details about how to configure TLS mutual authentication for Azure App Service, please refer to this article.

How to setup client certificate authentication in ASP.NET framework

I'm trying to figure out how to set up my Azure Web App to require client certification. The idea is to force the client's browser to send a SSL certificate (that's installed on their machine) to the web app. The web app then validates attributes in the certificate to make sure the client is authorized to access the web app.
The purpose is to enhance the security of our web app since user cannot login from a device that doesn’t have the SSL cert explicitly installed (even if they have the username/password somehow).
I'm not sure where I should begin with this. I understand SSL handshakes and the highlevel concepts but I don't really understand how to implement this in my current ASP.NET MVC web app. A tutorial that would point me in the correct direction would really help out. Or even the steps required to achieve this as I am not sure where to begin (setting up SSL certificate with IIS? Getting client to send the SSL certificate? Where did the certificate come from?) All of these questions...
UPDATE: I found this article:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
But I don't know where to begin...

C# (SQL Server Integration Services) - Secured Web Service - How to post signed SOAP/Get response. Testproject SOAPUI works

I'm a not good at Web services and C#. I looked at other threads but I can't seem to find a solution. I think because I'm using SSIS I can't use WSE or WCF approaches.
I'm looking for a solution to exchange data between an application server and a secured web service. Overview:
There is a PFX file present which contains the client certificate and the private key.
The PFX is installed on the application server.
I can't approach the service endpoint through a browser e.g. internet explorer. Even with a certificate.
I received a SOAPUI project with already the bindings and methods defined (Can't insert the URL). I just needed to reference the PFX file in the settings. I compile a test for a method in the form of a SOAP message and I succesfully receive a response.
I need to generate the following SOAP header structure:
Picture
Now in C# how can I realize the same effect as in SOAPUI? At first I tried manually composing the soapmessage and posting it to the service, but I think this is not possible, because I can't seem to generate a security binary token. Now I'm thinking about generating proxy classes. Since I don''t have acces to the URL endpoint, I'll have to use offline versions of the WSDL + XSD's. Can the proxy class approach work with the web service security?
Basically you need to write custom script to consume web service in SSIS. First you need to install certificate on local machine. Then you will be able to consume it. SSIS provide support for web service, so you can use it. SOAPUI request is equivalent to web method.
MSDN Documentation: Call a Web service by using a client certificate for authentication.
Frequently, Web services must authenticate applications that call the Web services. The Web services must perform authentications of calling applications before the Web services can perform authorizations. One authentication technique is to require applications that call the Web service to present a client certificate.
When an ASP.NET Web application tries to call a Web service that uses
certificate authentication, you may receive an "access denied" error
message. When a console application or a Microsoft Windows Forms
application calls the same Web service, you do not receive an error
message.
This behavior occurs because the computer maintains two different
certificate stores: The local machine store: An ASP.NET Web
application looks in this store to locate client certificates. The
local user store: An interactive user application looks in this store
to locate client certificates. Typically, when an interactive user
application installs a client certificate, the client certificate is
installed in the local user store. Therefore, the client certificate
works for interactive user applications. However, the client
certificate does not work for ASP.NET Web applications.
To enable an ASP.NET Web application to use a client certificate, you
must install the client certificate in the local machine store. When
you install a client certificate in the local machine store, the
client certificate is only available for user accounts in the
Administrators group and for the user who installed the client
certificate. Therefore, you must grant access to the client
certificate for the user account that is used to run the ASP.NET Web
application.
Note You must have the Microsoft .NET Framework 1.1 Service Pack 1
(SP1) installed to use client certificates in the local machine store.
Additionally, when the ASP.NET Web application calls the Web service,
the application must export the client certificate from the
certificate store and then add the client certificate to the Web
service call.
Below are resources which would provide some starting point.
HOW TO: Write a Simple Web Service by Using Visual C# .NET
How to call a Web service by using a client certificate for authentication
Client certificate authentication with web services in .NET
Using authentication certificates to connect to web service
Accessing a web service and a HTTP interface using certificate authentication
Creating and Using C# Web service over HTTPS – SSL

How to bypass Untrusted certificate error from GWT client side code?

I created a self hosted HTTPS WCF web service running on my Localhost machine. Now i make a request to this web service from a GWT based application hosted on some domain.
I use self-signed X.509certificate which is not approved yet. Whenever my GWT application make requests, It shows an error because of untrusted Certificate. Can i bypass this error from my GWT client code or suggest me an alternative solutions ?
Is there are any other protocol which supports WCF service that we can use for communication and will not trigger the security alert from browser?
Updated
Whole scenario:
You installed a exe in your system, which take cares of WCF web service and importing certificate to your local machine.
You open a GWT based website from your browser. Let's say some.com
some.com continuously polling a request to his/her local machine. Let's say on https://localhost:8098/{someendpoint}
But because of this HTTPS and untrusted certificate. It is not able to make request.
since you said
Let's start with local testing
How about installing your self signed certificate onto the machine on which you are testing the GWT ?
You should be able to double click the certificate and follow the prompts/wizard to install it.
This applies to development only (for production you'd need a proper certificate)

Websphere MQ access to SSL certificate when running inside IIS7 as DefaultAppPool?

I have a C# Web service which is running under IIS 7.5 on Windows Server 2008 R2 using the DefaultAppPool user as the application identity (IIS APPPOOL\DefaultAppPool). The Web service uses IBM Websphere MQ (7.0.1.2) to do it's stuff and uses the SSL certificates stored in a key.kdb setup via IBMs KeyMan utility.
Normally (for C# apps that are not running IIS) I need to label the personal certificate within the kdb so that it's name matches the user that is running the app i.e. the certificate would be labelled as ibmwebspheremqbs6mjb (see http://www-01.ibm.com/support/docview.wss?uid=swg21245474) and this allows the app to successfully access the SSL certificates within the key.kdb.
But..... when running as a Web service and naming the certificate ibmwebspheremqdefaultapppool the application cannot access the SSL certs. If I change the AppPool identity to be bs6mjb then everything works (I'm not allowed to run the app pool as bs6mjb).
I'd prefer not to setup a default certificate as mentioned in the link above, does anyone know what the certificate should be labelled as to work with DefaultAppPool?
For MQ clients the certificate label must have the user name who runs the client. In your case, for example ibmwebspheremqbs6mjb. If the certificate label is something else, the MQ client (actually GSKit libraries) will not find the certificate to connect to queue manager. I think that's what is happening when you have the label as ibmwebspheremqdefaultapppool.
This blog has interesting and useful details. You may want to check under what user IIS runs and create a certificate for that user and do the required SSL setup between client and MQ queue manager.

Categories

Resources