Home/ Questions/Q 8629883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T08:55:20+00:00

In IIS, I can ignore, allow and require client certificates. In ASP.NET WebAPI (version

  • 0

In IIS, I can “ignore”, “allow” and “require” client certificates.

In ASP.NET WebAPI (version 4.0 that just launched a little while back), I seem to have the ability to only “ignore” or “require”.

By default, client certificates are ignored… so this statement always yields null:

var cert = actionContext.Request.GetClientCertificate();

But, if I set this flag on my config:

config.ClientCredentialType = HttpClientCredentialType.Certificate;

Then I get the client cert… but, I no longer have the ability to allow anonymous access.

My anonymous client now gets a 403 error: “The remote server returned an error: (403) Forbidden.”

Can I do a sort of “allow” like in IIS?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is a known limitation with using X509 Certificate in self host scenario. The actual limitation is from the underlying transport binding in WCF, which does not have the allow option with regards to Client Certificate.

    You can, however, allow multiple authentications schemes with other options, such as anonymous and windows. We are working with the WCF team to find out if we can add that support with anonymous and x509 certificate as well.

    Hope this clarifies.

    • 0