How do I setup a asmx web service in Azure that accepts a client certificate?

StackOverflow https://stackoverflow.com/questions/8372448

Question

I apologize in advance if the question is ridiculous.

I have an asmx service running in Azure (HTTP - no SSL).

I have a WPF app that loads a X509Certificate2 and adds it to the request by doing the following:

X509Certificate2 cert = new X509Certificate2("...");
webRequest.ClientCertificates.Add(cert);

In the web service I get the certificate by 

new X509Certificate2(this.Context.Request.ClientCertificate.Certificate)

And then I load a cert (that I have both uploaded to the Azure control panel and added to my service definition file) by using the following sample:

var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, certName, true);

And then I validate by doing the following:

clientCert.Thumbprint == certs[0].Thumbprint

Now unfortunately I get an exception (System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle) as soon as I do

 Request.ClientCertificate.Certificate

So I have a few questions. How do I avoid the exception. This answer states I need to modify an IIS setting, but how can I do that in Azure?

In any case is this even the proper way to do certificate authentication?

Thanks!

Was it helpful?

Solution

You can use command scripts to modify IIS, in combination with appcmd.exe.

For a quick example (disabling timeout in an application pool), take a look at this sample by Steve Marx.

In this example, you'd call DisableTimeout.cmd as a startup task. For more info on creating startup tasks, you can watch this episode of Cloud Cover Show. There should be a lab on startup tasks in the Platform Training Kit as well.

Just remember that any type of IIS configuration change should be made via an automated task at startup. If you manually change IIS via RDP, those changes won't propagate to all of your instances, and won't remain persistent in the event of hardware failure or OS update.

OTHER TIPS

You can remote into your azure instances to manage IIS. As for a way to do it globally for all instances at once, I'm not sure. That would be an interesting side project though.

http://learn.iis.net/page.aspx/979/managing-iis-on-windows-azure-via-remote-desktop/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top