How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “/” but nothing within the virtual directory?RSS

11 replies

Last post Oct 16, 2020 09:34 AM by Jalpa Panchal

  • How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “/” b...

    Oct 01, 2020 09:17 PM|rossmpersonal|LINK

    On an IIS 10.0 server hosting https://example.com, what do I put in my applicationHost.config so that all of the following is true:

     - https://example.com/ does not request a client certificate.
     - https://example.com/index.html does not request a client certificate.
     - Everything else , https://example.com/* , requests and requires a client certificate.
     - https://example.com/index.html is the default document for https://example.com/

    <configuration>
       <location path="">
          <system.webServer>
             <defaultDocument enabled="true">
                <files>
                   <add value="index.html" />
                </files>
             </defaultDocument>
             <security>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128">
             </security>
          </system.webServer>
       </location>
       <location path="index.html">
          <system.webServer>
             <security>
                <access sslFlags="Ssl, Ssl128">
             </security>
          </system.webServer>
       </location>
       <location path="/">
          <system.webServer>
             <security>
                <access sslFlags="Ssl, Ssl128">
             </security>
          </system.webServer>
       </location>
    </configuration>

    does not work because <location path="/"> is not allowed.

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 05, 2020 06:21 AM|Jalpa Panchal|LINK

    Hi,

    You could configure this setting by using the iis configuration editor feature:

    1)Open iis manager.

    2)Select the virtual directory or folder for which you want to enable or disable the  SSL flag.

    3)From the section drop-down select "system.webServer/security/access".

    4)check/uncheck the SSL flag.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 05, 2020 11:35 AM|rossmpersonal|LINK

    Jalpa, 

    If I do what you are suggesting, it will apply it to every file within the virtual directory in addition to the virtual directory itself. That is exactly what I would like to avoid. I need the settings to apply to / but not /* . How do I do that?

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 07, 2020 01:58 AM|Jalpa Panchal|LINK

    you could set the SSL flag setting in the site web.conifg file with the location tag. if you just want to set the SSL flag to the root document use the below code:

    <location path="sitename/index.html">
            <system.webServer>
                <security>
                <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
                </security>
            </system.webServer>
        </location>

    remove old SSL flag code from the applicationhist.conufg file.

    so this only applies to the index file, not other file or folder. or as I suggest if you want to remove the setting from the virtual directory select the virtual directory and uncheck the SSL using configuration editor.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 07, 2020 02:44 AM|rossmpersonal|LINK

    Jalpa Panchal

    you could set the SSL flag setting in the site web.conifg file with the location tag. if you just want to set the SSL flag to the root document use the below code:

    <location path="sitename/index.html">
            <system.webServer>
                <security>
                  <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />
                </security>
            </system.webServer>
        </location>

    remove old SSL flag code from the applicationhist.conufg file.

    so this only applies to the index file, not other file or folder. or as I suggest if you want to remove the setting from the virtual directory select the virtual directory and uncheck the SSL using configuration editor.

    I already do that. See the original post. When I do that, https://example.com/index.html does not request a client certificate, which is good. However, the URL https://example.com/ still requests a client certificate even though index.html is the default document so it does not solve this problem.

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 08, 2020 05:59 AM|Jalpa Panchal|LINK

    you could try to use the IIS URL rewrite rule to redirect the https://example.com/ to https://example.com/index.html

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 08, 2020 07:06 PM|rossmpersonal|LINK

    Jalpa Panchal

    you could try to use the IIS URL rewrite rule to redirect the https://example.com/ to https://example.com/index.html

    That is what I am currently doing as a temporary emergency workaround and is overkill and would like to move away from. There has got to be a simpler and easier way to do this.

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 09, 2020 02:14 AM|Jalpa Panchal|LINK

    Hi,

    I compared your and mine applicationhost file setting. I recommend you use the configuration editor to make the changes instead of directly editing the applicationhost.config file.

    Remove all the settings and set sites as the default settings.

    first, make sure you have index.html in your site as a default document. to check that please follow the below steps:

    1)Open iis manager, select your site.

    2)Double click on the default documents.

    3)check you have index.html is available or not. if not then click on add from the action pane and add index.html.

    After doing this setting. now add the SSL flag to the index.html file:

    1)Click on your site in iis.

    2)Click on content view from the middle pane:

    3)Right-click on the index.html and click the switch to feature view.

    4)Now you will find the index.html under the site tree. select it and double click configuration editor.

    5)from the section pane select :system.webServer/security/access and add the ssl flag to it. click on apply the from the action pane.

    after doing changes restart your site and try to access the site.

    below is my result:

    i am getting the SSL error on example.com and exmple.com/index.html while i can access my other folder from the iste.

    Note: the difference between your and mine code id i set the Sitename in from of the index.html in location tag while you only set the index.html. when you modify the applicationhost.conifg file and by mistake, you did any wrong changes it will affect the whole server.  so it is not recommended way to modify the file directly.

    Regards,

    Jalpa

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 10, 2020 02:08 AM|rossmpersonal|LINK

    Jalpa Panchal

    Hi,

    I compared your and mine applicationhost file setting. I recommend you use the configuration editor to make the changes instead of directly editing the applicationhost.config file.

    Remove all the settings and set sites as the default settings.

    first, make sure you have index.html in your site as a default document. to check that please follow the below steps:

    1)Open iis manager, select your site.

    2)Double click on the default documents.

    3)check you have index.html is available or not. if not then click on add from the action pane and add index.html.

    After doing this setting. now add the SSL flag to the index.html file:

    1)Click on your site in iis.

    2)Click on content view from the middle pane:

    3)Right-click on the index.html and click the switch to feature view.

    4)Now you will find the index.html under the site tree. select it and double click configuration editor.

    5)from the section pane select :system.webServer/security/access and add the ssl flag to it. click on apply the from the action pane.

    after doing changes restart your site and try to access the site.

    below is my result:

    i am getting the SSL error on example.com and exmple.com/index.html while i can access my other folder from the iste.

    Note: the difference between your and mine code id i set the Sitename in from of the index.html in location tag while you only set the index.html. when you modify the applicationhost.conifg file and by mistake, you did any wrong changes it will affect the whole server.  so it is not recommended way to modify the file directly.

    Regards,

    Jalpa

    I agree in principle that it makes sense to use IIS Manager and/or Configuration Editor in IIS Manager and avoid modifying applicationhost.config manually do to the risk of corruption and/or introducing a syntax error. That is why I rarely edit applicationhost.config manually and when I do, after I make changes, I navigate to the modified section in Configuration Editor as it will display an error if the applicationhost.config has been corrupted or has a syntax error or cannot be parsed for any other reason.

    I asked the question in terms of applicationhost.config content as opposed to GUI operations because it is easier to describe text than it is to describe GUI operations in this forum.

    Unfortunately, the steps you provided do the exact opposite of what I am trying to do. Per my original post, what I am trying to do is make https://example.com/index.html and https://example.com/ not request a client certificate but make everything else, in other words https://example.com/* require a client certificate. The steps you provide do the exact the opposite.

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 12, 2020 04:55 AM|Jalpa Panchal|LINK

    Hi,

    sorry for the misunderstanding. I reproduce your issue at my side. in my opinion, you have to manually apply the flag for all the directory and files which you want to and set the SSL flag none at the site level. 

    so when we set enable SSL then it works with the index and www.example.com but for diable, it will only work with the index.html

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 13, 2020 01:53 AM|rossmpersonal|LINK

    Jalpa Panchal

    Hi,

    sorry for the misunderstanding. I reproduce your issue at my side. in my opinion, you have to manually apply the flag for all the directory and files which you want to and set the SSL flag none at the site level. 

    so when we set enable SSL then it works with the index and www.example.com but for diable, it will only work with the index.html

    I considered that approach but it is untenable. Every new file that it added to the site that requires a client certificate (which is 99.999%) would require a configuration change. There has got to be an easier way to do this.

  • Re: How to do something like <location path=“/”> in applicationHost.config to apply sslFlags to “...

    Oct 16, 2020 09:34 AM|Jalpa Panchal|LINK

    Hi,

    This is the iis default behavior. first, it executes the authentication module then it will go to the static or default document module. this is for the security of the site.so the only option is you have to set it manually to the separate folder which you want. there is no other way to implement your requirement.

    You can check the iis HTTP Request Processing flow;

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.