views:

913

answers:

2

I'm developing a new website (ASP.Net, VB codebehind pages, .Net 3.5) to replace a "Classic ASP" site.

Some of the pages are 'public' and the rest require authentication - in this case it's done by reading DoD-issued CAC cards through the keyboard.

Now, for 'production', they configure IIS so that it does the authentication challenge (reading the card and requesting a PIN) when it hits a certain directory (/secure in this case) so that all pages in that tree are secured.

I'm coming ot the point where I need to see some of the information fomr the card - but when I "F5" the website I'm developing, all the Request.Clientcertificate stuff is empty - there's no 'challenge' happening with the Cassini ASP.Net development server.

I see references to "configure IIS to put SSL on the target directory" - but I'm not running IIS on this development PC (nor is the other developer who's going to run into this shortly). The network support people will be doing this when the site is eventually copied into production but I need to test certain security features now.

How can I configure the server that came with VS2008 to read the CAC card and 'load up' the server/session variables that I need to query? Alternatively, is there anything I can put into the .aspx or .aspx.vb pages themselves that can simulate or trigger the security challenge?

Thanks in advance.

+2  A: 

Short answer. Cassini doesn't support that kind of security.

David
A: 

I would hope you found a solution to this by now... but just in case, I will tell you that I do similar development and I ran into the same problem. The only "solution" I found was to simply publish the website/webpage to a server with IIS configured to require client certificates, etc...

Of course, this does prevent you from using the "debug" feature in Visual Studio, but there is always the method of injecting debug statements into code [e.g.: response.write() followed by response.end() if necessary]... I also built a page I used for enumerating all the strings available from request.clientcertificate(), and even later expanded it to run a provided regex for searching the entire certificate...

Hope those ideas prove useful!

It does not prevent you from using Debug. Simply open the project properties and go to the "Web" tab. Set the project to use IIS, and you should be able to debug just fine.
John Saunders
I had no trouble using debug provided I pulished to the *local* IIS. Of course I can't debug the version on our production machine but that's production :)
David
Visual Studio supports remote debugging. It will work with your local machine running IIS or a remote machine running the Remote Debugger Service. From Visual Studio choose Debug->Attach to Process and select the specific aspnet_wp.exe process you want to attach to.
RJBrady