Require client certificates in IIS for non-local network requests using HttpModule

Question

I need to require client certificates on a site in IIS for any request that does not originate from the local network. Any local requests should not require client certificates. Is there a way to do this in IIS? I was thinking of configuring IIS to allow client certificates but not require them and then use a custom HttpModule that would check the originating IP address and kick back anything not from the local network that didn't include a client certificate.

Will that work? How would you solve the problem?

Answer 1

There are a couple of ways I would address this. You can pick what you like:

1. duplicate the site. One should be requiring client SSL and other not. The second one should disable external access.

2. install client ssl for local machines. This is perhaps the easiest unless you have some infrastructure issues getting client certificates.

3. When IIS requires client SSL, it responds to all HTTP requests with a 'need client ssl' type message. The client (e.g. browser) then updates its request (e.g. show the IE dialog for cert) by passing the required certificates. You can use a HttpModule to trap these messages for local requests.