Implementing Client Certificate Authentication

Implementing Client Certificate Authentication

  

Hello fellow developers,

The devteam and I have hit a problem for quite a while now and we dont know how to resolve it or where to search. Before I go into explaining I will give some background information first.

We have an OutSystems application we want to grant a specific set of users access too. These users already authenticate with an other non-outsystems application using their Client Certificate that was distributed a long time ago. We have access to the database which contains a copy of these certificates on some 3rd party server.

What we want to achieve is:
1. The user goes to a specific outsystems page that has SSL/TLS With client certificates checked as HTTP Security Property

2. The user selects his Client Certificate in the browser and proceeds to the page.
3. The preparation runs and with ClientCertificateGetDetails we will extract the Certificate information and match it against the copy we fetch from the external DB.

4. If it matches, log in, else deny access.

However when we set the SSL/TLS With client certificates property, the page can no longer be visited. 

If we visit the page binding no client certificate, we get an OutSystems error: Invalid client certificate.

If we visit the page binding a client certificate, we get an IIS error: 403 - Forbidden: Access is denied.

Neither in above scenarios does the preparation run so we cannot go to custom validating the certificate.

Things we have tried:

1. Add the CA the client certificate is signed against in the trusted root store in IIS.

2. Set IIS SSL settings to Accept instead of ignore.

In essence its the same issue as described here:

https://www.outsystems.com/forums/discussion/38204/ssl-tls-with-client-certificates-prompts-for-certificate-but-get-server-error-403/

My best guess is that we need to change some setting in IIS that would allow all certificates to pass trough IIS and leave validation to OutSystems.

Does anybody have any pointers?

Thanks in advance,


Selwyn de Jonckheere