Forwarding client certificates in IIS Kestrel reverse proxy setup

[DavidFlamme]

I want to implement a custom client certificate authentication, preferably by using a IAsyncAuthorizationFilter to translate the certificate to an identity.

Asp.Net Core with .NET Framework 4.7.2 is running on Kestrel behind an IIS reverse proxy like it is described here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/?view=aspnetcore-2.2&tabs=windows#out-of-process-hosting-model

The lead I could find is the ForwardClientCertificate setting described here: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/index?view=aspnetcore-2.2#iis-options

How I understand it is, that one sends an http request with the MS-ASPNETCORE-CLIENTCERT header with the base64 encoded client certificate as value.
The ASP.NET Core Module in IIS (and IIS Express) takes the header, translates it into a certificate and provides (forwards) it to Kestrel as a ClientCertificate.
I'm not really sure if this expects a https connection between IIS and Kestrel to do that, but it also seems to complicate things a lot anyway.

So I couldn't get this to work and think I'm missing something here. If not my feature request would be to just forward the MS-ASPNETCORE-CLIENTCERT header to Kestrel and use ITlsConnectionFeature to resolve the certificate in the AuthorizationFilter.

Thanks in advance,
Davud

[muratg]

Send a client cert the normal way, as part of the TLS handshake. We use this mechanic only with IIS and Kestrel since the last hop is after TLS termination.

As an aside, for security reasons we block all headers with MS-ASPNETCORE-* sent directly to IIS

[MihaMarkic]

So, the same principle can be applied to any reverse proxy, like nginx for example? Stuffing encoded cert into MS-ASPNETCORE-CLIENTCERT header and asp.net core will do the magic?
Is this somewhere documented?

[dcarr42]

@MihaMarkic The new client cert forwarding bits should cater for this.

[MihaMarkic]

@DAllanCarr Do you have a link about it?

[dcarr42]

#10645 (comment)

…

On Fri, 31 May 2019, 18:50 Miha Markič, ***@***.***> wrote: @DAllanCarr <https://github.com/DAllanCarr> Do you have a link about it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#7998>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADKSKTHDXDS4LK6F3BVVEODPYFQM5ANCNFSM4G2TX3FA> .

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!