Hi all,
I've been working with Certificates for a while (together with WSE2.0) and got a few projects working. I usually kept the certificate verification to the browser/IIS, not accessing or managing the user certificate in the application (with SSL and requiring certificates, the server itself verifies the certificate), guaranting the Client -> Server safe communication. To access the web service, I would also have an Application Certificate (a physical .cer file) so that I could pass it to the Web Service Server and make that communication also safe. On top of that, I would apply Basic authentication. That worked quite well, but I need some changes.
I need to improove this architeture a bit. Mainly, I need to use the Certificate not only as an SSL communication item, but as the authentication of the user by itself. After the user receives and installs the certificate, this certificate must authenticate and authorize the communication on every call. For that, I've been trying to verify the certificate on the application (checking issuername, etc) and passing the certificate to the WEB SERVICE (as a SecurityToken). Also, before even getting to the Certificate part, there's an SSL web form to authenticate the user in the Active Directory, so that he can request a certificate to the logged user.
This should be working, but I've had some problems:
1. In order to list the user certificates and check if a valid certificate exists (list the MyStore with Web Services Enhancements classes) I must impersonate with the logged user. If I just use "web.config" impersonation, everything works fine. But I'll have to dynamically change this impersonation, getting the context of the user who logged. This should be easy, but I've had many problems. I've now succesfully used the LOGONUSER API and it's correctly authenticating the user. But when I get the WindowsIdentity received from the APIs, create a Principal to that Identity, and set it to the HttpContext.Current.User, the User.Identity.IsAuthenticated property is ALWAYS false, no matter what kind of authentication I try. The LOGONUSER is ok because if I type a wrong user/password it doesn't pass, but even passing it does seem to generate a correct IDENTITY. (UPDATE: even with the IsAuthenticated as false it's possible to list the user certificates. But the second question remains a problem...)
2. After I make the impersonation work, will clients from outsite the network/domain be able to correctly login, impersonate, and VIEW the certificates installed for their CurrentUserStore(MyStore) through the Web Application, so that the certificate can be correctly verified and used from them on? I can do this locally but I've doubts on wether the application will be able to access the CLIENT's certificate, considering this client will be on a different "local" domain and will be only authenticating and impersonating through my application to a domain on the server. In other words, I wonder if after succesfully logging and impersonating as a user on the server domain, he'll be able to access his certificates on his local browser, that has a different or no domain at all.
3. And that's the biggest question. Isn't there a way to configure A.D. and IIS (mainly, the server side) to AUTHENTICATE clients through Certificates? I mean, if I force "Integrated Authentication" when accessing the site, in the same screen that the user can type the User and Password he can list and choose between his installed certificates. That should mean he could be passing his certificate to the server, instead of doing a login/password authentication. But how can I configure the server (IIS/AD/whatever) to authenticate this certificate for me, instead of authenticating it from the application? Must I do all those verifications in the application (as I've been trying) or just configuration on Active Directory/IIS/CA will enable this security architecture?
Thanks in advance for the attention,
Marcelo Barros