This is a follow up to a question that I posted here a few weeks ago, and which I have also posted at the asp.net, but since I don't expect there are to many of you out there who knows the answer to it, I post it here also as it is indeed very IIS related.
I am writing an ASP.NET application that should handing user authentication according to the swedish "eLegitimation" standard, which is based on soft certificates installed on the client machines. In an ideal world, the 3 providers of this service should have used the same standard, but obviously, they don't, so 2 of them use client certificates the normal way, but the third uses a Java applet which runs locally on each users computer (downloaded at login time). Now, as it stands, this leaves me with having to set up multiple entry point websites, one which has "require client certificates" set to true, and the other which doesnt require them at all since it is handled localy by their java applet (this is of course a bit over simplified). This does work, but it is a bit work to maintain, and also requires multiple SSL certificates (server side) as I can't use the same for different host headers (for obvious reasons)
Now, I am condiering if there is a better way to do this, and the only to ideas I have are:
1. Perhaps I can write code (ASP.NET, C#) that requests the client certs if necessary, instead of setting this setting "web application wide". If so, I could just ask for it or not depending on which of the 3 providers the current user has choosen for authenticateion. Another advantage with this solution compared to the default one is that I could better control how and when I ask for the client certs, with "required" set to true IIS will ask for the the moment the visitor hits the webbsite, before I have been able to put up any info messages etc which is a bit rude.
2. Changing the IIS setting on the fly (from "required" to "ignore" and vice versa) based on the current provider choosen. This however will most likely not work for a multitude of reasons, security, access rights etc, and even if I solved all these, I could still risk 2 users trying to log in at the same time with different providers. This one seem like a dead end.
3. Using "accept client certs" instead of requiring them. This would mean that the IIS asks politely if the visitor has any client certs or not, and if the user doesnt, or click cancel, the page will still load and they can choose to authenticate using the third provider (the one that doesnt user client certs). Note that this isn't the same a the user being logged in, without a valid client cert, the user wouldnt go anyway in the system, but I could use one entry point instead of 2 since it isn't a dead end if they dont have a "normal" client cert. The downside of this is of course that if the user will be promted for client certs, even if they have none and are to log in using the java applet route, and thus have to press cancel first.
If possible, the first solution is really the one I want to use, but is it doable? Is it safe? Is it "best practice"? If that doesnt work, I probably would go for the default solution, as solution 2 and 3 just doesnt seem to hold all the way.
Comments, suggestions etc. would be much apprechiated!
/Patrik Johansson