Reputation: 4542
How to restrict specific pages to Certificate Authentication?
In my ASP.NET web-application I have created Default.aspx (set as my start page), and a new folder called SmartCard with WebForm1.aspx inside of it. How do I configure Web.Config to prompt user for Certificate upon visiting SmartCard/WebForm1.aspx but NOT when Default.aspx loads?
In the accepted answer of this question:
if your app is hosted in IIS then simply add (in web.config) a section that says client certificate is required for those pages. THe browser will then ask the user for a cert.
From the above answer, I looked some more on StackOverflow and found this. From their accepted answer I put the following section in Web.Config:
<location path="SmartCard">
<system.webServer>
<security>
<access sslFlags="SslRequireCert" />
</security>
</system.webServer>
I then modified applicationHost.config in C:\Windows\System32\inetsrv\config (or appropriate directory for your install) and change the following line:
<section name="access" overrideModeDefault="Deny" />
to:
<section name="access" overrideModeDefault="Allow" />
However, I still get prompted for a Certificate on site load. I first get the following screen:
After clicking "Continue to this website" I then get prompted to selected a Certificate when Default.aspx loads. However, I only want to get prompted to selected a Certificate when SmartCard/WebForm1.aspx loads!
ANY help is greatly appreciated!
Here are my site settings in IIS-7:
SSL settings:
Site Bindings:
*MyDevCert is self-signed
Update:
I created a new Web.Config file inside of SmartCard directory with the following:
<?xml version="1.0"?>
<configuration>
<security>
<access sslFlags="SslRequireCert" />
</security>
<system.web></system.web>
</configuration>
I then removed the 'location' tag from base Web.Config.
Base Web.Config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<identity impersonate="false" />
</system.web>
</configuration>
However, I still get "There is a problem with this website's security certificate" screen and I get prompted for certificate once I click "Continue to this website"
Upvotes: 2
Views: 1162
Answers (1)
Reputation: 952
From what I'm seeing, you can only have a single value for sslFlags.
See http://www.iis.net/configreference/system.webserver/security/access And https://msdn.microsoft.com/en-us/library/ms689458(v=VS.90).aspx
The sslFlags attribute can be one of the following possible values. The default is None.
Upvotes: 1
Related Questions
- ASP.NET core Restrict access to certian pages
- How to Require SSL on a specific Page Type but not on the parent page
- Forcing SSL (https) on a page by page basis
- Asp.net https allow only payment page
- How to force https for only the pages need to be authorized in a Asp.Net MVC 5 site?
- how activate SSL only for login and specific pages MVC
- IIS application - some Urls should require client ssl certificates and other don't ask for it
- Setting up SSL page only on login page
- disable ssl for a specific page
- Ensure page is only accessed via SSL