public SupportUserEntity CheckForSupportUserCertificate(Guid userId, HttpRequest request, out string errorMessage) { // If the user is not a support user, just return null if (!ContextProvider.IsSupportUser(userId)) { errorMessage = "The user is not a support user"; return(null); } // Ensure that the support user is logging in at the support URL var urlHost = Resolver.Get <IAppSettingsHelper>().Get <string>("SUPPORT_HOST_URL"); if (request.Url.Host != urlHost) { errorMessage = "Invalid username or password"; return(null); } // Ensure that the client certificate is present bool clientCertificatePresent = false; string commonName = null; string certificateString = request.Headers["X-Client-Cert"]; if (!certificateString.IsNullOrEmpty()) { // If the request is served via a proxy, the client certificate is passed through via a custom header clientCertificatePresent = true; var x509Certificate = new X509Certificate2(Encoding.UTF8.GetBytes(certificateString)); commonName = x509Certificate.GetNameInfo(X509NameType.SimpleName, false); } else if (request.ClientCertificate.IsPresent) { // If the request is served purely by IIS, the client certificate can be accessed using the .NET request object clientCertificatePresent = true; commonName = request.ClientCertificate["SUBJECTCN"]; } if (clientCertificatePresent == false) { errorMessage = "A certificate is required in order to login"; return(null); } if (commonName == null) { errorMessage = "Your certificate is missing crucial information"; return(null); } // Use the common name in the subject of the certificate to retrieve the support user var supportUserController = new SupportUserRepository(); SupportUserEntity supportUser = supportUserController.Get(commonName); if (supportUser == null) { errorMessage = "Access has not been enabled for your certificate"; return(null); } errorMessage = string.Empty; return(supportUser); }