Authentication for ASP.Net MVC in DMZ

Question

User-2111650928 posted

Our current application maps LDAP username to Aspnet Membership database for role authorization after MS Username and Password provided.

What is be requested is to use Certificate mapping and the user's SSL certificate Subject Alternate Name in the same fashion.  I.e. query the SAN presented on the certificate and pass this to the aspnet membership database to authorize and then serve the proper content to the user's browser.

Is this even possible?  I've been searching the internet but don't seem to have the vocabulary to find an item which matches this request.  The part that I can't seem to find is passing the Certificate SAN to the aspnet membership database.

Thank you in advance.

Answer 1

User283571144 posted

Hi jrichers,

In my opinion, this is possible, we could create a custom filter to get the user certificate and get the SAN from the certificate and check it in the database.

I suggest you could refer to below article to know how to create the custom filter and how to get the certficate from requrst and get the SAN.

For how to create a custom filter in MVC, you could refer to below article:

What is custom filter:https://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions/hands-on-labs/aspnet-mvc-4-custom-action-filters 

How to get the request in the custom filter and how to register it.https://stackoverflow.com/a/6940798/7609093 

About how to get the SAN in the requrest's certificate, you could refer to below article:

Get the certificate from request:

HttpRequestBase request = filterContext.HttpContext.Request;
var re = request.ClientCertificate;

Get SAN:

https://stackoverflow.com/a/16698506/7609093 

Best Regards,

Brando

Answer 2

User-2111650928 posted

@Brando ZWZ, Thanks for the ideas, sorry for the late reply, I forgot to tell the forum to notify me.  I will post back with additional questions/information or results.  Thanks again.