certauth | Simple CertificateAuthority and host certificate creation

• You are encountering the error because the subject name and subject alternative name in the SSL certificate installed, should be the same as the federation service name that is set while configuring ADFS role on the server. Since, that certificate only contains ‘sts.domain.com’ as the federation service name which is ultimately the subject name defined on the certificate and does not contain ‘certificate.sts.domain.com’ as a subject alternative name, thus, due to which you are encountering this error. Please find the below screenshot of the ADFS post-install configuration for your reference: -

• As in Windows Server 2019, the ADFS setup by default installs ADFS role on port 443 using the same certificate with SAN (subject alternative name) on different hosts. Thus, you need to update your certificate to support SAN and configure it accordingly. Please find the below command to update certificate SAN binding on the same port, i.e., 443 with different hosts: -

Ok, so in the end I was able to solve my own problem. There were two different parts to solving it, but ultimately it only required a few small modifications to my project code.

Recognizing client certificates

Firstly, the server was not recognizing the self-signed client certificates as valid certificates. This can be solved by either 1. adding all of the client certificates (or a root CA that signs them all) to the trusted certificate store of the operating system or 2. adding a ClientCertificateValidation callback to kestrel to determine whether or not a certificate is accepted or rejected.

Example of #2 (an adjustment to the ConfigureHttpsDefaults lambda in Program.cs) is below:

I found your point there and here is the answer, one paragraph before

Because the same self-signed certificate is used in this example, ensure that only your certificate can be used.

for some reason they chose to use same certificate for server and client (maybe for simplicity?) which is indeed a *BAD* practice in real world. Sharing same certificate between different entities never was a good idea. Client and server certificates must be different.

Certificate-based client authentication is more difficult, because you need to have a an account directory to validate client certificate against. For example, Active Directory. This directory should implement certificate <-> principal mapping. When you receive the certificate, you search for principal in directory and if found, you can uniquely distinguish clients, validate their permissions, rights and perform logging.

If no mapping found -- reject authentication, because you don't know the client.

If you don't care in distinguishing clients, then you clearly don't need mutual authentication.

And never hardcore client certificates/thumbprints in code, because they are periodically changed, therefore external account directory (which is updated using out-of-band process) is necessary.

Though, you can implement the logic when arbitrary clients can connect to your server only when they have certificate issued by your private CA. It is valid scenario. In this case, you don't need external account directory and you validate that client certificate is issued by exact, or by one of pre-defined CAs in the list, then you allow subsequent communication. But they still are anonymous to your system.

Edits based on your additions:

If your case fits last paragraph, then:

• validate general chain (i.e. time validity, extensions, revocation, etc.)
• validate that immediate issuer is in the explicit list of approved by you CAs (private)

Here is a blog post I put together that should give you an idea how to setup Kerberos PKINIT preauthentication mechanism to authenticate an IPA user with a X.509 certificate:

PKINIT with IPA and user certificates

You need to configure Kestrel to allow client certificates in the program.cs The default value is ClientCertificateMode.NoCertificate so in your ConfigureWebHostDefaults you need to change that to ClientCertificateMode.AllowCertificate.

Here's an edited chunk of code from the docs you sent where I did that:

Hope what follows will help someone! I eventually found this link : https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-3.1

It explains how to implement multiple authorization policies that both have a chance to succeed. Below is the solution I found using IIS after a bit more research:

Startup.cs

As the article said, if the correct certificate is sent to the server, the data is returned. If no certificate or the wrong certificate is sent, an HTTP 403 status code is returned.

So, as Bhushan said, confirm your certificate has uploaded to azure app service.

When you enable mutual auth for your application, all paths under the root of your app will require a client certificate for access. Exclusion paths can be configured by selecting Configuration > General Settings and defining an exclusion path.

For more details, you could refer to this article.