Client certificate has different thumprint via ARR and AuthorizationContext
I am currently working on a prototype for a WCF service that will make use of client-certificate authentication. We would like to be able to directly publish our application to IIS, but also allow SSL offloading using IIS ARR (Application Request Routing).
After digging through the documentation, I have been able to test both configurations successfully. I am able to retrieve the client certificate used to authenticate from:
- X-Arr-ClientCert - the header that contains the certificate when using ARR.
- X509CertificateClaimSet - when published directly to IIS, this is how to retrieve the Client Certificate
To verify that the request is allowed, I match the thumbprint of the certificate to the expected thumbprint that is configured somewhere. To my surprise, when getting the certificate through different methods, the same certificate has different thumbprints.
To verify what is going on, I have converted the "RawData" property on both certificates to Base64 and found that it's the same, except that in the case of the X509CertificateClaimSet, there are spaces in the certificate data, while in the case of ARR, there are not. Otherwise, both strings are the same:
My question: Has anyone else run into this, and can I actually rely on thumbprints? If not, my backup plan is to implement a check on Subject and Issuer, but I am open to other suggestions.
I have included some (simplified) sample code below:
string expectedThumbprint = "...";
if (OperationContext.Current.ServiceSecurityContext == null ||
OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets == null ||
OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.Count <= 0)
{
// Claimsets not found, assume that we are reverse proxied by ARR (Application Request Routing). If this is the case, we expect the certificate to be in the X-ARR-CLIENTCERT header
IncomingWebRequestContext request = WebOperationContext.Current.IncomingRequest;
string certBase64 = request.Headers["X-Arr-ClientCert"];
if (certBase64 == null) return false;
byte[] bytes = Convert.FromBase64String(certBase64);
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(bytes);
return cert.Thumbprint == expectedThumbprint;
}
// In this case, we are directly published to IIS with Certificate authentication.
else
{
bool correctCertificateFound = false;
foreach (var claimSet in OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets)
{
if (!(claimSet is X509CertificateClaimSet)) continue;
var cert = ((X509CertificateClaimSet)claimSet).X509Certificate;
// Match certificate thumbprint to expected value
if (cert.Thumbprint == expectedThumbprint)
{
correctCertificateFound = true;
break;
}
}
return correctCertificateFound;
}
When setting up the test again for a peer review by colleagues, it appears that my issue has gone away. I'm not sure if I made a mistake (probably) or if rebooting my machine helped, but in any case, the Thumbprint now is reliable over both methods of authentication.
- Uploading file from Flex to WCF REST Stream issues (how to decode multipart form post in REST WS)
- WCF Test Clinet - Can't Edit Config File
- Error message "WCF Service Error 413 Entity Too Large"
- BizTalk 2020 WCF-Sql Polling Receive Location no Response
- Why does the ASP.Net MVC model binder bind an empty JSON array to null?
- Is this use of using an appropriate way to dispose of resources being that a DataSet is returned in a WCF method?
- Explicit SSL / TLS version selection
- DTOs. Properties or fields?
- Adding WCF proxy class hides Visual Studio project reference
- WCF WebInvoke with query string parameters AND a post body
- Caching plaintext passwords in memory of WCF service
- The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'
- WCF InvalidOperationException: A binding instance has already been associated to listen URI
- Remove root element from MessageHeader
- How can I get data from a scale into a web application?
- How to solve "Could not establish trust relationship for the SSL/TLS secure channel with authority"
- Querying eBay API with WCF
- Is the thread blocked when doing database operation?
- Could not find an implementation of the query pattern
- Periodically - Unable to translate Unicode character X at index Y to specified code page
- Remote monitoring design
- UWP: how to optimize synchronization between WCF WebServices and SQLite through async calls
- Visual Studio states that there is an ambiguous call, when there's only a single method with the given name
- Using C# NetTCPBinding and WCF, How Do I Get the Port the Client is Connecting From for Same Machine TCP Communication?
- Controlling Namespace Prefixes in WCF XML Output
- mexHttpBinding - Add a ServiceMetadataBehavior to the configuration file or to the ServiceHost directly to enable support for this contract
- 401 Client 'Negotiate', Server 'Negotiate,NTLM' When Calling WCF Server to Server
- Is it possible to implement server-side paging with a WCF Service, NOT a WCF Data Service
- Linq & Paging - Unable to return paged data with an OrderBy
- WCF Paged Results & Data Export