Click here to Skip to main content
14,428,429 members

INTG server accepts SYST client certificate and returns 200 response- incorrect behavior

Vignesh.J asked:

Open original thread
We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.

I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it's working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y. But in the Server X if I pass invalid certificate it's throwing 401 Unauthorized but if I pass SYST Client Certificate it's working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response. I verified both the server configurations everything appears same and I don't see any difference. I identified this issue by stopping the site alternatively in both the servers.

We are using "iisClientCertificateAuthenticationMapping" and in that we have set the "manyToOneCertificateMappingsEnabled" as False and "oneToOneCertificateMapingsEnabled" as True and for "oneToOneMappings" I have set the userName, password and certificate(base64string).

Can you guys please let me know what are the possible reasons for the X server's incorrect behavior.

INTG SERVERS:

Server X
Server Y

What I have tried:

I restarted the App Pool analysed with Wireshark logs
Tags: C#, SSL, certificate, TLS, WebAPI2

Preview



When answering a question please:
  1. Read the question carefully.
  2. Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
  3. If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
  4. Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.
Let's work to help developers, not make them feel stupid.
Please note that all posts will be submitted under the The Code Project Open License (CPOL).




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100