• 12

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I'm looking for a way to setup IIS to process the client certificate authentication the same way as nginx does when the optional_no_ca option is used for the ssl_client_certificate directive. Basically, it means that IIS should get a client certificate chain during the SSL handshake, validate that the client has a private key of the provided certificate and that's it -- no further verification (like checking CRL, signature, dates). The rest of the client certificate verification would be done on the backend which is located behind the IIS server.

It was easy to find the relative configuration docs for:

Unfortunately, I haven't managed to find any documentation describing the setup for IIS. Is it supported?

    • No, it is not supported. You can delegate credential validation routine to other backend server only when client certificate satisifies general client certificate requirements. If you need this, it may indicate some issues in your design.
      • 2
    • The idea is to show the login page with username/password inputs for the cases when a client has no or has an invalid certificate. The same idea as with absent auth cookie. The redirect is done on the backend and should be based on a presence (or absence) of the certificate data in the request header. But thanks anyway!
    • You can try to enable client certificate and anonymous authentication. If client certificate authentication fails, IIS will attempt to anonymously authenticate user (i.e. no auth on IIS) and you will have to handle anonymous authentication by using backend (show form or whatever you need). I would try this approach (personally haven't tested, but worth a try).
      • 1
    • The client certificate validation mostly happens at the kernel level via the HTTP service. You can manipulate most validation by using netsh http add sslcert, also you can force a certreq to be sent by adding clientcertnegotiation=Enable in the same command. Hopefully by the time the request gets to IIS, you have a certificate to work with sans validation.

Trending Tags