How do you use Thinktecture IdentityServer 3 with Certificate setup - iis

I want to use Thinktecture IdentityServer 3 to provide STS to ASP.NET site but I don't know how to setup the certificates.
How do I use SelfHost (InMem with WS-Fed) Thinktecture Identity Server 3 as STS for a local IIS site?
The problem I have is as follows:
I've used this client in VS Development Server:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/MvcOwinWsFederation
with the SelfHost (InMem with WS-Fed):
IdentityServer3.Samples/tree/master/source/SelfHost%20(InMem%20with%20WS-Fed)
It all works, connects, authenticates and displays claims.
But when I publish the client to local IIS site called WSFedClient and that tries to authenticate against the same self-host STS,
but I get this error:
"The remote certificate is invalid according to the validation
procedure."
I've followed this:
https://github.com/IdentityServer/IdentityServer3/issues/553
...but I'm still confused about what it is I need to do.

Try installing your cert into the "Trusted Root Certificate Authorities" store.
1) Launch the mmc. At the start menu, enter MMC.exe and hit enter.
2) Press control-M to add a module. Select Certificates, and click Add.
3) Select Computer account, then Next, select Local Computer, and hit Finish. Then hit OK.
4) Expand Certificates. Right-click on "Trusted Root Certificate Authorities", and select "All tasks", then "Import..."
5) Browse out to the cert and select it. You probably will need to check the box to allow it to be exported, which means you'll probably have to enter the password, which you should know, if you created it.

Check following things regarding your certificate. Most probably point # 2 below causing this error.
Check if CA's root certificate exists in Trusted Root Certification Authorities store.
Check "Issued To" field of certificate matches with host name of identity server's endpoint url.
Check expiry date of certificate.
Check if certificate is not revoked by CA.

It looks like you must configure SSL endpoint for callback URI as well. That is WSFedClient in your sample.

Related

IIS Getting 403.16 error when Client certificates option is set to "Accept"

We have a webapi application hosted on IIS 10. Apart from token based authentication, we also support client certificate based authentication. To support client cert based auth, we have the client certificate setting in IIS set to Accept. So the consumer has to either send a certificate or token to authenticate.
One of our customers is integrating the APIs with Oracle CPQ and using tokens to authenticate. But they are getting 403.16 error from IIS. Their stand is that they are not sending any certificate with the request. But I suspect that some default client certificate is being sent. How do I find out if that is the case or is there any other problem that I'm missing.
We also have made following registry changes. Any help will be appreciated.
You can try the solution below:
On the IIS Web server, select Start, type mmc.exe in the Start Search box, right-click mmc.exe, and then select Run as administrator.
On the File menu, select Add/Remove Snap-in.
Under Available snap-ins, select Certificates, and then select Add.
Select Computer account, and then select Next.
Select Local computer, select Finish, and then select Close.
To exit the wizard, select OK.
Expand Certificates, expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then select Import.
In the Certificate Import Wizard, select Next.
In the File name box, type the location of the root certificate of the certification authority, and then select Next.
Select Next, and then select Finish.

IIS Client Certificate is Not Accepting, Not getting any Certificate Prompt

In one of my applications, I enabled the configuration on IIS to accept the client certificate, by enabling like the below picture. The same configuration I did on the local IIS server and it works.
but it's not working. Any configuration that I am missing..?? At least it should prompt for the Certificate.
It will prompt the client to provide a certificate only when accessing https:
You need to check whether to access the service via https.
I think you need to install the cert in cert store in current user for the browser to show up the dialog box with list of certificates

Client certificate authentication on IIS 8 - 401.1 Unauthorized

We are developing ASP.NET application and we need to use Client Certificate Authentication on IIS 8.
I followed guides to setup SSL and Client Certification authentication.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
and
https://blogs.iis.net/rlucero/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration
I've setup client certificate and added one-to-one mapping to map it to local administator account (once it works, i will change it to more resticted user).
I validated that both server and client certificate are valid and trusted on server and on clinet. So there is no problem with certification authority.
When i try to acces the web page i am promted to choose client certificate. When i confirm selected certificate i allways get 401.1 result: Unauthorized.
I think that it can be related with that in IIS Authentication settings i disabled all authentication types. When i enable Windows Authentication, it seems to work - I am prompted to select certificate and when i confirm selected certificate, i am prompted for username and password and then page is displayed correctly. Of course i do not want user to enter windows user name and password.
PS: Error log file from IIS is here https://www.dropbox.com/s/pe8qwxpgilr347l/fr000156.xml?dl=0
Thank you for any tips.
In my case, i needed to install and activate "client certificate mapping authentication" in Windows Server Manager "Roles and Features" and the IIS configuration editor here: system.webServer/security/authentication/clientCertificateMappingAuthentication

What certificate store should I use to store a certificate for signing/encrypting JWT tokens?

I'm adding support for JWT tokens in my Web Application, and I have an X509 certificate which it needs for signing those tokens.
I have rejected the idea of using the same certificate we use for HTTPs (see Can I use the Private Key Certificate of Web App to sign JWT?).
I think a self signed certificate should do the trick, in fact I can't see any advantages of a web of trust in this scenario (that doesn't mean there aren't any, I just can't think of any).
The web application runs on a farm of web servers. My current plan is to generate a self signed cert and put the X509 certificate into the certificate store in Windows on each machine. Our IT department are checking, but they think they can roll that out to all the Web Servers in the farm using Group Policy. So this seems like a feasible plan.
The certificate store in windows looks pretty confusing to me. I think there are two options:
1) Put it in "My" store for the user under which the IIS App pool run. There are many app pools, so potentially the certificate will be in many stores.
2) Put it under the LocalMachine store, and then grant explicit access to the specific certificate for the IIS user(s).
3) Something else I can't think of.
Is there a "correct" place for these type of certs, and if so where is it?
The usual CertificateStore for signing certificates is the My store. I normally place them in LocalMachine location, but it is probably safer to put them in the certificate store for the Application Pool identity itself.
I would then give the Application Pool read-only access to this certificate only (right click certificate, then 'All Tasks' > 'Manage Private Keys', then add your Application Pool identity and give 'Read' permissions only.

How can I request a client certificate only from a particular CA

Is it possible to request client certificates issued only by a particular CA (Certificate Authority)?
The site is using IIS 7.5, and we have client certificates assigned to users following this article - http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/.
CTL does not seem to have any effect on this because the server will always advertise all acceptable CA names, regardless if they are in the CTL or not.
http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx
Run MMC as an Administrator on the server.
Add the Certificates Add-in, selecting the Computer account.
In each of the sub-folders, for each of the certificates you DO NOT want to be included:
If the Intended Purpose has or contains Client Authentication:
Right-click on the certificate
Make sure "Enable only the following purposes" is selected
Uncheck "Client Authentication"
Click OK.
I had to do this for over 400 certificates on two servers... twice (because GPOs overwrote my settings).

Resources