MVC single sign on with SSL across both sites - asp.net-mvc

After checking other SO questions I have single sign on (SSO) working. There are two MVC 4 applications hosted on the same machine with the same domain (foo.example.com and bar.example.com).
Now I would like to get this working so both sites are under SSL for all of their traffic (without writing my own authentication handling as in this example).
I have worked out how to create self signed certificates in IIS7 and tried using one certificate for both sites and also having a separate certificate for each site.
After trying various configurations I am starting to believe it is not possible. I understand that SSO works by passing the authentication cookie between the applications when the web.config has been set up correctly with matching machine keys.
If the two sites are under SSL does this premise break down because of the encryption inherit in SSL? If it is possible I haven't worked out how to set it up.
If it is possible how do I do it:
One SSL certificate for both sites?
Two different SSL certificates?
If it is possible how do I set up IIS?
Any experience with this situation would be appreciated.

SSL has nothing to do with SSO (except that it encrypts user credentials during logon). You can have a single certificate for any number of sites if your only goal is to encrypt the traffic. However, in production you want 2 separate certificates for both of your names - foo.example.com and bar.example.com. Note, browsers will complain if they're self signed because their trust chain cannot be verified. So it's better to buy certificates from trusted authorities like VeriSign, Thawte, etc.
As for setting up IIS check these links: one, two.

Related

Do I really need 2 SSL certifications to redirect a naked domain to www?

I have a website, which I only want to be used with the https://www-prefix.
I have to 2 url-redirects configured in my web.config (asp.net MVC on Azure websites), one from http to https, and one from naked domain to www.domain.
I initially bought an SSL certificate for my www.domain.com only, but then when someone would enter the naked domain, he would get a browser warning/block before the redirect could even happen. Eventually I bought a 2nd SSL cert. for my naked domain as well and it all works now, but I can't help wonder, do I really need to buy 2 certificates for this scenario?
Yes, you really need a certificate valid for the two domains if you want to be able to redirect users who manually enter the naked domain with the https protocol.
It can be two certificate, but it can be one certificate containing the two domains. Most SSL vendors include for free the naked domain.
(And, there is Let's encrypt that can give you certificate for free.)
Furthermore, having a certificate for the naked domain allow you to use HSTS including sub-domains, which can protect all your sub-domains against SSL strip.

Free SSL security certificate on Heroku?

I pushed a Spree Rails app to Heroku and I see it's using ssl withhttps:// and has a yellow padlock in the browser. Clicking on this shows "Identity verified" and the Certificate Information says Issued To: *.herokuapp.com
This is great. With no configuration or expense at the Heroku end, my app is using SSL with a valid looking certificate. Ok it's a yellow rather than green padlock but hey, not bad for free.
I'm sure this is a stupid question..but how can I run another Rails app on Heroku with a verified certificate without paying for the SSL add-on and purchasing my own certificate?
The TLS/SSL connection your browser is establishing is due to the fact the you are connecting to your app via appname.herokuapp.com. This is standard and will automatically work for any app you create out of the box. Heroku provides SSL encryption as you may be sending sensitive information to the server and it is better practice to encrypt data that you may not necessarily deem sensitive, but your client may. All reputable providers (SAS, Web Hosts, Email Providers) will have a wildcard SSL certificate installed to the base domain (*.herokuapp.com) as it is a single certificate that is relatively inexpensive and will secure all the sub-domains automatically.
That being said Apps are SSL-enabled already and can be accessed simply by using https, e.g., https://appname.herokuapp.com, but you would want to go with the SSL endpoint option when you want to establish the trusted relationship with your clients. Both ways are as secure as the other, but with the wildcard SSL (also referred to as a shared SSL certificate) the trust is established between the client via their browser and Heroku not your App/Site. With the SSL signed to your domain.com the clients can connect to your domain and not the Heroku sub-domain and see your site's information in the connection information on the browser. If your site is needing disambiguation from Heroku then is when you will want to proceed with an SSL setup outside the default.
As for what SSL type and issuer to use I would not recommend https://www.startssl.com/ as they do not offer SSLs with high browser ubiquity as they are not fully signed by an external root authority. Comodo and the consumer standard Rapid/GeoTrust are the best choices as far as assurance, recognition, and easy of use and concerned. You only need a DV (domain validated) SSL and they can be had for a few domains a month.
More on this and the Heroku SSL configuration can be found here
I recently spent some time setting this up. It can be done using CloudFront and a proxy to Heroku. This is probably best used for small projects but seems to be working great so far! See my post here:
http://ksylvest.com/posts/2014-05-06/setup-free-ish-ssl-tls-on-heroku-for-ruby-on-rails-or-any-other-framework
A few things have changed since this question was first answered, notably the advent of Let's Encrypt and new Heroku SSL endpoints, which together make it possible to add SSL for free. I've created a gem to generate and add certificates automatically: https://github.com/KMarshland/heroku-ssl. Once you've added heroku_ssl to your gemfile, you can simply run:
rake heroku_ssl:update_certs
Alternatively, if you don't want to use the gem, you can do these tasks manually:
1. Generate the SSL Certificate
Follow the instructions in https://github.com/unixcharles/acme-client to generate your certificates. You'll need to register your email, authorize the domain, and then finally get your certificates. When authorizing the domain, if you only have one server running, you can simply stick the authorization file in your public folder; if not, you'll either have to set up a dedicated controller and route or add a text record to your DNS zone file.
2. Add the certificate to Heroku
After downloading your certificates, you can either use Heroku's web interface or just run
heroku certs:update fullchain.pem privkey.pem
3. Configure your DNS
You need to set a CNAME record in your DNS zone file that points to [yourdomain].herokudns.com. The DNS zone file specifies what urls get mapped to what servers on the domain name you own. If your site is already pointed to your Heroku app, there will already be a CNAME record; you just need to change where it points to. If not, you'll need to add a new line:
[subdomain] [TTL] IN CNAME [yourdomain].herokudns.com.

RESTful Service with Self Signed SSL

We are building an end to end solution that will allow our customers to access their ERP data hosted in their own servers through mobile applications. Version 1 will be an iOS app.
We need to make sure the traffic between the client and the server is encrypted with SSL. The problem lies in that we want the installation of the server to be as seamless as possible, hence we don't want the customer to go through the process of buying and installing SSL Certificates. Not even mentioning having to renew that certificate every year.
We were thinking of creating a self signed CA certificate and use it to create child certificates for each client to install on their servers (along with the public CA certificate). We would automate the process of creating the child certificate and include it as part of the setup process. The certificate will also have a very long expiration date as to not dealing with expirations. But if we use this certificate the requests from the client won't be trusted as the CA won't be trusted.
Can the CA be added to the iOS app or device?
Is there a security concern with this implementation?
I have a very similar situation. So far I have just created self signed certificates and just programmed the clients to ignore allow untrusted SSL certificates. If there is a better answer I'd love to hear it.
It is 2017 and letsencrypt now exists, which provides free domain validation and signing of TLS certificates such that browsers / OS HTTPS or TLS libraries and frameworks will accept them, and through certbot it is relatively easy to set up auto-renewal. I won't describe it here because it's deployment specific, but they have good docs. Combined they're probably the best solution out there.
Bundling and using self-signed certificates is seriously sub-optimal for various reasons, and there's no reason to do it anymore (except perhaps gross laziness), so don't.
Free is only for basic domain-validated certificates, i.e. where letsencrypt.org validates that you own the domain that you say you do (and certbot is used to automate that process). You still need to pay for extra verification steps if you want them. However, for internal TLS connections between your app and your server, you only really need domain validated, because you only have to be sure you are talking to your server. The extra steps are more focussed on giving a customer confidence in a company, so they can give over sensitive data with greater peace of mind. Generally speaking if they are using you app, that suggests they trust your company already, so the extra validation is not important (and probably invisible to the customer anyway).
In development if you want to use self-signed certificates this may still make sense. Check out my answer to this question on how to install self-signed certificates for all apps on your iOS device.

IIS Passing client certificate to rails

I have an application written in Rails that must be ran behind a IIS server due to restrictions by the client, the government. We have to have SSL authentication. So what I can't figure out in my hours of searching Google is how to get IIS to pass the client certificate to the rails server (thin).
I've seen tutorials on Apache that use:
SSLOptions +ExportCertData
Which then make it available to the request object. Any ideas on how to configure IIS to do the same?
At least in the way that you ask the question IIS cannot provide a client certificate as the client cert would be issued by a third party. So you need to get the x509 cert that your application and then the cert is authenticated as part of the initial connection request with iis.
As to the apache function to provide the ssl cert from the server to the client, this functionality is not exposed by iis.
That's why you were not able to find anything on google
The main reason companies want to run Rails(or Other) applications behind an IIS server is for SSO apart from protecting the resources.
See if this helps.
We have been running our Rails app behind IIS at quite a few customer locations. We run our Rails app in JRuby inside Tomcat.
The steps to install the JK ISAPI redirector plugin are here
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
All Rails contexts are protected in IIS using standard IIS authentication schemes, Integrated Windows Authentication ( Negotiate, NTLM).
Within the Rails app one can get the logged in user's information.
request.env['java.servlet_request'].get_remote_user
The Rails app also connects to Microsoft AD for additional user information like email, department etc.,
Since the Rails is blindly trusting the IIS server for authenticaiton it needs to be prevented from direct access.
1. Disable HTTP ports in Tomcat
2. Enable only the AJP port
3. Add an IP restriction so that it accepts connection only from the IIS server(s)
==
I do not think it is possible for IIS to pass on the certificate details. We tried to extract the Kerboros tokens ( for kerboros authentication delegation ) without much success and realized it is not possible.
After being told this may be impossible. I've finally figured it out! Here are the steps that I took.
Using OpenSSL create your own CA certificate.
Using the generated CA certficate create and sign other certificates with Open SSL.
Open Internet Information Service Manager click on the server, then click on server certificates.
Click Import under the Actions column
After importing click on your site.
In the Actions column click bindings...
Click add, scroll to https, and select the CA certificate that you imported
Click on your site again to get to the menu and click on SSL settings
Check require SSL and then click the radio buttion, require
Click your site again then click on the configuration editor (installed in IIS 7.5 can add-in in 7.0)
Go to system.webServer/security/authentication/iisClientCertificateMappingAuthentication
Set enabled to true
Set manyToOneCertificateMappings to true
Click on the ... box on the far right-end of manyToOneMappings
Click add under actions column, under collections
Add the username and password of the user you created (can be on local machine)
Now, go to the main server and restart.
You should be able to see the certificate using request.headers hash.
Variables for the hash include:
CERT_SERIALNUMBER
CERT_SUBJECT
CERT_ISSUER
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
If you cannot find something you may have to install a module (for like authentication). I don't remember which ones I installed.

Windows Azure Multi-Tenant Application and SSL

We are creating a multi-tenant ASP.NET MVC application that will be deployed onto Windows Azure. We will have some custom domain www.abc.com that will map to our given Windows Azure url abc.cloudapp.net. We are considering giving each tenant their own subdomain that will identify them on our application (tenant1.abc.com, tenant2.abc.com, tenant3.abc.com, etc) and then creating a CNAME record for each subdomain to map to abc.cloudapp.net. I have a few questions with this design.
Will a single wildcard SSL certificate for *.abc.com allow all the tenants to access the site over a secure connection?
Do we purchase the SSL certificate for *.abc.com or for abc.cloudapp.net?
Will the url that our ASP.NET MVC application sees be the tenant1.abc.com url or the abc.cloudapp.net url?
Thanks
Yes, one wildcard certificate should be all you need
You want it for *.abc.com
I'm less sure about this one, but I'm pretty sure it's tenant1.abc.com
knightpfhor's answer is perfect, but just in case you need to have a custom domain (using CNAME as well) for some of your premium tenants, now you can have "SSL hostheaders" with a new IIS 8 (Windows Server 2012) supported feature called SNI .
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code that address your current (sub-domain wildcard certificate) and possibly future needs (custom domain certificates) at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

Resources