Hello,

I am looking for direction or advice after many days playing with DNN and reading Forum.

Our company trying to build portal based on DNN.

Main requirement is SSL connection and Certificate Authentication on every page. All our customers have already installed digital certificates and using them in all our other applications for authentication.
We are already installed latest DNN and I already tried to create Authentication module based on article of Joe Brinkman
http://blog.theaccidentalgeek.com/post/2009/07/13/DotNetNuke-Tips-and-Tricks-12-Creating-your-own-Authentication-Provider.aspx,
but we not satisfied with result (user still have to provide userid and password), but I can see certificate information passed by user (Dim certificate = HttpContext.Current.Request.ClientCertificate).

I need advice and direction how to implement our requrements in DNN:

- transparent authentication (user does not enter any info or click any buttons), if user does not have valid certificate show error page
- every page should be authenticated (by redirecting every page to our new module/page?)
- digital certificate info should be checked behind scene by our new DNN module (compare certificate params with our data in SQL table or XML file ?)

I will appreciate any help and advice.

Eugene

Sorry Eugene. I saw this post earlier, got distracted, and missed answering it.

The best I can think of ATM is to look at the AD provider. Specifically look at the AuthenticationModule.vb that implements IHttpModule. In the web.config there's a line added to the <httpModule> section which forces DNN to go through the AuthenticationModule.vb file every page refresh, click, etc. In the case of an automatic login it does the redirect to WindowsSignin.aspx which logs the Active Directory user into DNN.

Without seeing your code I'm just guessing but from what you've described this is similar to what you're trying to accomplish (user visits site, your AuthenticationModule file is called, certificate is checked, if valid pass user on to wherever they're going/if not do something else).

Mike,

you suggested to investigate AD provider and specificly AuthenticationModule.vb that implements IHttpModule, but after searching DNN project I discovered another place where potentially I can verify my clients certificates on every page request, this is DotNetNuke.HttpModules.dll (project DotNetNuke.HttpModules  - Membership - MembershipModule.vb following method:

        Public Sub OnAuthenticateRequest(ByVal s As Object, ByVal e As EventArgs)

            Dim Context As HttpContext = CType(s, HttpApplication).Context
            Dim Request As HttpRequest = Context.Request
            Dim Response As HttpResponse = Context.Response

            'read Certificate
            Response.Write("Eugene Test; DateTime=" + DateAndTime.Now.ToString() + "</br>")
            Response.Write("ClientCertificate.IsValid=" + Request.ClientCertificate.IsValid.ToString() + "</br>")
            Response.Write("ClientCertificate.Issuer=" + Request.ClientCertificate.Issuer + "</br>")
            Response.Write("ClientCertificate.ServerIssuer=" + Request.ClientCertificate.ServerIssuer + "</br>")
            Response.Write("ClientCertificate.Subject=" + Request.ClientCertificate.Subject + "</br>")

I did some quick changes, recompile, replaced original DLL and now I see certificate info on every HTTPS request

so Mike my question is it correct place to do this page certificate validation ?