sharptooth sharptooth - 2 months ago 22
C# Question

Why is my controller action filter no longer invoked once I override SSL settings with a "location" element?

I have an ASP.NET MVC3 application with an action filter attribute applied to a controller:

public class MyFilterAttribute : ActionFilterAttribute
public override void OnActionExecuting(
ActionExecutingContext filterContext)
"MyFilterAttribute", "entered" );

public override void OnResultExecuted(
ResultExecutedContext filterContext)
"MyFilterAttribute", "exited" );

public class MyController : Controller
public ActionResult MyAction()
return new EmptyResult();

MVC routing maps
to the controller-action pair above.

and the client code invokes
and dumps the response headers.

Initially it works - I see that the response received on the client contains two
headers as expected.

Then I add a
element to web.config:

// lots of stuff, then
<location path="MyPath">
<access sslFlags="SslNegotiateCert"/>

and once I redeploy with these changes the response headers no longer contain the two

to web.config is the only change. Once I remove it the old expected behavior is back.

It looks like adding a
elements somehow breaks MVC attributes.

What might be causing this behavior?


sslFlags="SslNegotiateCert" requests that IIS opens a mutually verified channel which is not the default behavior. I looked into IIS logs and it's HTTP 403.16 (client certificate untrusted) all the time. Because the client certificate is self-signed IIS doesn't trust it and so fails to open a mutually verified channel.

Either I have to not use SslNegotiateCert (and then the client certificate is not passed to application code) or I need a certificate which IIS trusts (this answer explains how that can be achieved).