Hi there,
we have a website with an application underneath it. The website needs to accept (but not require) client certificates in order to redirect the user depending on their certificate. we did that with this web.config value:
<system.webServer><security><access sslFlags="Ssl, SslNegotiateCert"/></security></system.webServer>
The application, to which the user gets redirected, contains two folders which require client certificates, which is done the following way:
<system.webServer><security><access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /></security></system.webServer>
At the rootlevel, however the application should ignore client certificates:
<system.webServer><security><access sslFlags="Ssl"/></security></system.webServer>
The problem is that when navigating to the root level of the application the browser asks for a certificate. It doesn't matter if you select one or not, the pages show. So it seems like the application is inheriting from the website (accept but not require client certificates). In order to stop this behaviour i altered the websites web.config like this :
<location inheritInChildApplications="false"><system.webServer><security><access sslFlags="Ssl, SslNegotiateCert"/></security></system.webServer></location>
But I'm still seeing the same behaviour.
Is there any other way I can prevent this? Or anything that might interfere?
The Application uses .NET 4.5 and runs on IIS 7.5
Cheers Tobi