Wanting to implement authentication by client certificates I am experiencing some issues.
First some facts
The whole site is using SSL. I am using IIS 6 (on Windows Server 2003) and have configured the site to accept client certificates, not requiring them. Most browsers are however implemented in a way so that they will only ask the user for a certificate when it is strictly required. Because of this the authentication model isn't really useful.
Suggestions of my own
My first idea was to set the HttpResponse.Status
property but it requires the characters before the first space to be an integer. The useful status for getting a browser to send a client certificate is 403.7 Client certificate required
so this will not work (unless you can overwrite it).
I also thought that I would just configure IIS to require client certificates for a specific paths, but this - of cource - works only with physical files and not with routing.
A possible solution is to make a specific folder and require client certificates for it which is more of a hack than a solution. So I would like to avoid this if someone has a better proposal.
Clarifications
I have tested the browser response of both Internet Explorer, Firefox and Chrome (I use Chrome as my primary browser and Firefox as secondary). None of the browsers asks for the client certificate unless I - in IIS - configure it as required.
The HTTP status code 403.7 is due to my understanding allowed as the RFC 2616 only defines the status code as the first three digits. As IIS 6 returns the 403.7 when a client certificate is required, I thought sending it would force IIS into a special mode triggering a requirement.
I guess the problem now is how to configure IIS for requiring a certficate given an virtual path and not a physical.