1

We're looking to implement two-way authentication with client certificates for a privileged subset of our application users. The idea will be that if a certificate is detected the user will be asked for an additional password/PIN and that will be used to verify the certificate and user. Ordinary users will continue to authenticate themselves via the standard login mechanism.

Our production environment (hosted by a well-known company) comprises load-balanced application servers and I'm unclear as to how this set-up will handle the certificates and I'm not certain if there are any pitfalls I should be aware of. I would very appreciate some thoughts, comments or real-world advice on the subject.

immutabl
  • 213
  • 2
  • 9

1 Answers1

1

Client certificate authentication needs special consideration if you're using an ssl-terminating load balancer, since the load balancer isn't capable of authenticating to the backend web server with the client's certificate.

Java's AJP handles this well, as the information about the client cert is passed on, but most HTTP load balancer/transport deployments don't have this capability. Depending on what the load balancer software is (and whether you control that aspect of the environment), you may be able to work out a mechanism to feed information about the client cert back to the web server.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks for your comments. Our load balancer *is* SSL terminating and a shared one at that so we don't have any control over it. It looks like I'm going to have to think of something else. The guys at the ISP suggested we just route high-level users to a different port which requires a client cert. The problem is that these users will be accessing our application through mobile clients (iPads, Android devices) so we have to secure things against the possibility of devices being stolen and used to access the site. I would appreciate your thoughts on this. This is a .Net running on IIS btw. – immutabl Jun 26 '12 at 08:34
  • 1
    Hmm. I'm thinking maybe on first normal login give those users' devices some kind of long-lived cookie that marks them as needing only the less-intensive login process for future logins, and present them a different login form accordingly based on that cookie? – Shane Madden Jun 26 '12 at 17:08
  • Thanks for your help. There's been progress (of sorts) - the server guys got back to me and said they are going to set up the load balancer so that it will send any client cert to the app servers inside a custom HTTP header. I *think* this is a good thing. I just need to figure out how to get at its serial number to do the authentication piece. Do you think this will be a reasonable way to proceed? – immutabl Jun 27 '12 at 08:59
  • @5arx Yes, that sounds like a good approach! The one caveat there is that you're essentially trusting the load balancer instead of validating the clients directly. For example, if someone were to set their header to a trusted certificate, then connect to SSL without using a client certificate at all, and the load balancer simply forwarded the header they sent, then authentication could be bypassed. Also, unless the load balancer will be verifying that a certificate was issued by a trusted CA, then you'll probably want to check its thumbprint for validation instead of serial. – Shane Madden Jun 27 '12 at 15:40