IHttpRequest::NegotiateClientCertificate Method

Initiates client certificate negotiation with a Web client.

Syntax

HRESULT NegotiateClientCertificate(  
   IN BOOL fAsync,  
   OUT BOOL* pfCompletionPending = NULL  
)   

Parameters

fAsync
[IN] true to specify that negotiation should occur asynchronously; otherwise, false.

pfCompletionPending
[OUT] true to specify that an asynchronous completion is pending; otherwise, false.

Return Value

An HRESULT. Possible values include, but are not limited to, those in the following table.

Remarks

Developers can use the NegotiateClientCertificate method to manually initiate client certificate negotiation with a Web client, even if IIS is configured to accept or ignore client certificates. NegotiateClientCertificate supports both synchronous and asynchronous operation by specifying the appropriate setting in the fAsync parameter. When your module calls NegotiateClientCertificate asynchronously, the module must return processing to the integrated request-processing pipeline immediately after calling the method if the pfCompletionPending value indicates that an asynchronous completion is pending.

Example

The following example demonstrates how to call NegotiateClientCertificate method.

REQUEST_NOTIFICATION_STATUS
CMyHttpModule::OnBeginRequest(
                              IHttpContext*       pHttpContext,
                              IHttpEventProvider* // pProvider  
                              )
{
   static long cnt;     
   InterlockedIncrement (&cnt);  // keep track of how many times we are called
   HRESULT hr = E_FAIL;
   IHttpRequest *pIHTTPR = pHttpContext->GetRequest();

   HTTP_REQUEST * pRawRequest = pIHTTPR->GetRawHttpRequest();
   HTTP_COOKED_URL hcu = pRawRequest->CookedUrl;

   // Send URL and count to the trace window
   TRC_MSGW_FULL( L"cnt = " << cnt << " URI: " << hcu.pFullUrl );

   // return immediately if not a HTTPS request
   if ( pRawRequest->pSslInfo == NULL ){
      TRC_MSG( "connection is not using SSL");
      return RQ_NOTIFICATION_CONTINUE;
   }

   // change the bForce flag to test behavior of forcing load of client cert
   bool bForce=true;
   if(bForce){
      TRC_MSG("forcing load of client cert");
      hr = pIHTTPR->NegotiateClientCertificate(FALSE);
      if(FAILED(hr)){
         LOG_ERR_HR(hr, "NegotiateClientCertificate : HR = ");
         return RQ_NOTIFICATION_CONTINUE;
      }
   }
   else
      TRC_MSG("Not forcing load of client cert");

   HTTP_SSL_CLIENT_CERT_INFO *pClientCertInfo;
   BOOL fccNeg;
   hr = pIHTTPR->GetClientCertificate(&pClientCertInfo,&fccNeg);

   // If you have not selected "Require Client Certificates" or called
   // NegotiateClientCertificate(), you  may get  ERROR_NOT_FOUND 

   if( hr == HRESULT_FROM_WIN32(ERROR_NOT_FOUND)){
      TRC_MSG( "Cert not found" );
      return RQ_NOTIFICATION_CONTINUE;
   }
   if(FAILED(hr)){
      LOG_ERR_HR("GetClientCertificate", hr);
      return RQ_NOTIFICATION_CONTINUE;
   }	

   if( fccNeg && pClientCertInfo != NULL){
      ULONG uSiz = pClientCertInfo->CertEncodedSize;
      TRC_MSG( "cert size: " << uSiz  \
         << " Previously negotiated " << fccNeg );
      unsigned long certCrc = genCRC(pClientCertInfo->pCertEncoded,
         pClientCertInfo->CertEncodedSize);
      TRC_MSG( "cert crc: " << certCrc );
   }
   else
      TRC_MSG( "No client certificate.");

   return RQ_NOTIFICATION_CONTINUE;
}

For more information on how to create and deploy a native DLL module, see Walkthrough: Creating a Request-Level HTTP Module By Using Native Code.

You can optionally compile the code by using the __stdcall (/Gz) calling convention instead of explicitly declaring the calling convention for each function.

Requirements

See Also

IHttpRequest Interface
IHttpRequest::GetClientCertificate Method