IIS 7.5 get client certificate within FTP request - iis

I'm trying to write a custom authentication provider for FTP in IIS 7.5. I found the IFtpAuthenticationProvider.AuthenticateUser Method (either native or managed) which is exactly what I need.
During the authentication the method should get the contents of a special field in the client certificate and compare it to the userName parameter provided by the AuthenticateUser Method.
My problem is now that I haven't found a way to access the client certificate within that method.
There are several solutions around for the http protocol (Request object) but not for the FTP stack.
My question is : Does anyone know how to access the client certificate within FTP during the authentication?
or
Is there a different aproach (which I missed)?

Related

Struggling with Login API to retrieve bearer token for data API in Azure

So I'm trying to use 2 API's from our external data source, an organization that solely focuses on delivering data to customers (me).
They have 2 different API's:
A login API: this API is called with basic authentication (username and password) and will provide a bearer token
An API to extract data and manage filters (this API will require the bearer token acquired through the login API)
Important notes:
The login API requires a self-signed certificate, I have created a certificate on my PC using openSSL and shared the public key with the external data source.
I uploaded the .pfx file in Azure (however i cannot set the domain or port number, this seems to be an issue, I can do this in Postman but can't seem to find it in Azure)
The data source confirmed that the certificate is valid and I am able to use the certificate in Postman but only if i set the correct hostname and also the correct port number (Else i get a TLS error in Postman)
Everything is working as it should in Postman (I can call the Login API and i can use the bearer token to access and download the data using a json file made for postman that i received from the data source organization)
I uploaded the .pfx certificate in Azure using AppServices > TLS/SSL settings and upload the private certificate, however the hostname it says here is my own database name (I am not sure if this is correct, in Postman i set the hostname when i upload the certificate to be the hostname of our data source with the needed port number)
I tried making a web call in Azure Datafactory, here i've used the correct URL i also use in Postman to access the login API and selected basic authentication and filled in the credentials
However when i try to debug pipeline (only the login web call) it gives the following error:
Error code 2108
Troubleshooting guide
Failure type User configuration issue
DetailsError calling the endpoint '[LINK i put with portnumber, which is correct]'. Response status code: 'NA - Unknown'. More details: Exception message: 'NA - Unknown [ClientSideException] An error occurred while sending the request.'.
Request didn't reach the server from the client. This could happen because of an underlying issue such as network connectivity, a DNS failure, a server certificate validation or a timeout.
Source
Pipeline
Punctuality
Am i looking in the wrong direction for this kind of data retrieval? is something going wrong with the certificate? I can't seem to find where i can set the correct hostname and port number (Like i can in Postman when uploading the certificate in .pfx format) Should I use API Management Service rather than Data Factory to make the API call to the external data source?
Select the authentication method as Client Certificate in web activity settings.
Specify base64-encoded contents of a PFX file in Pfx.

Configure IIS To Verify Client Certificate using external OCSP

I'm running a Windows 2012 R2 environment that hosts a website in IIS. The website currently requires a client certificate (which is validated) to access the website.
The client certificate is checked to ensure that it is valid and has not been revoked, not for identification by the operating system. If the user presents a valid certificate, the information on the certificate is used to authenticate and identify the user in the application code (the actual authentication is Forms Authentication). There is no mapping of the client certificate to an individual user (e.g. the client certificates does not map to an active directory account).
The site currently utilizes an additional piece of software to pass the client certificate to an external OCSP to verify the certificate status.
My goal is to remove that additional piece of software and be left with an IIS only (or Windows Server only) solution, but the documentation has me confused. I'm not sure if I need to install the OCSP role on the IIS server or our AD server, or if there is a way in IIS to configure a URL to check the certificate.
If the client certificate is pointing to an OCSP server in its extension, IIS will automatically validate it. You might check the CAPI2\Operational event log to see what happens during the validation.

Can I use Client Certificates on Azure App Services without a custom domain?

For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145

Installing Certificate on Websphere 8 for authentication

I'm trying to add a .pfx certificate to Websphere8 server to establish a connection to an IIS server.
I tried to add the certificate to the deaultkeystore as a personal certificate and added the same as a signing certificate to the defaulttrustkeystore.
When ever I send a request through my application I'm getting a 401 unauthorized error.
I checked the communication b/w servers using Wireshark but there is no FINISHED message from either client or server.
So I wan't to know exact procedure to install a certificate on websphere server to get authenticated and thereby send the XML as a part of HTTPS Post request.
I contacted the web service provider, he said me that other users, or people who already implemented the client for this service, convert the pfx to .cer and send it along with the request. I also want to know how that is possible. I'm coding using Java 6.
Thanks for the help.

Getting 401.2 when certificate authentication is enabled

I'm setting up a server so that only mapped certificates can get to the webservice. It is set to require SSL/Client certificates, anonymous authentication, asp.net impersonation, forms authentication, and windows authentication are all disabled. One-to-one client certificate mapping is enabled, and certs are set up on the box with an appropriate user mapping. When I try to use the webservice, I get 401.2. If I enable anonymous authentication, it works, but I don't want any old cert to be able to access the website.
I have another machine that has anonymous authentication disabled in this configuration, and it works. I'm not sure what the difference is.
I ran into the same problem, but the solution above did not solve my problem. I was configuring IIS Certificate Authentication on a subdirectory of the website, not on the website itself.
So, this is wrong:
And this is correct:
Once I moved the configuration to the root of the website, everything worked perfectly.
I found the solution at http://blogs.msdn.com/b/saurabh_singh/archive/2009/06/13/avoid-this-confusion-around-client-certificate-mapping-in-iis-6-0-7-0.aspx.
Did you issue your client certs from a Certificate Server that the clients/server trust? If you look at the "Enhanced Key Usage" property on the certificates, is "Client Authentication" one of it's properties? In IIS, is the client certificate mapping role installed (see image 1)? did you enable "Client Certificate Mapping" and map the users to the certificate? You need to import all of the client certificates and map them to user accounts here. You can remove all of the other client authentication methods when you have configured that here.
The problem ended up being the software that was calling in, not in the configuration. I'm awarding natemrice the bounty since he put in a good effort to answer what ended up being a non-question.
edit: For more information, it actually ended up being a mismatch between the cert being sent (from the local box) and the cert that was put in the oneToOne mappings. The common name was the same, but the certs were different (likely the first one expired) so the cert simply wasn't authorized.

Resources