How to require mutual TLS in IIS for all requests at specific URL's

Question

For Mutual TLS (MTLS), the Identity Server 4 documentation says Identity Server is configured for MTLS at certain endpoints.

In IdentityServer, the mutual TLS endpoints are expected to be located beneath the path ~/connect/mtls. This means your web server can be configured to require mutual TLS for all requests at and below that path.

Is there a way to do this in IIS? I've been researching extensively but can't find a way to enable MTLS for specific endpoints.

Answer 1

If you set read/write permissions on the involved nodes in ApplicationHost.config you can set it up in web.config:

<configuration>
    ...
    <location path="connect/mtls">
        <system.webServer>
            <security>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
            </security>
        </system.webServer>
    </location>
    ...
</configuration>

/Hans

Answer 2

In the readme for the certificate authentication package referenced in the Identity Server documentation, it says:

Can I configure my application to require a certificate only on certain paths?

Not possible, remember the certificate exchange is done that the start of the HTTPS conversation, it's done by the host, not the application. Kestrel, IIS, Azure Web Apps don't have any configuration for this sort of thing.

So I'm thinking it's not possible. But I would certainly appreciate any other feedback as to how to resolve MTLS for Identity Server given certificate authentication isn't possible at specific paths.