We have updated several .Net Core / 5 applications to authenticate with Azure AD at the application level (not user) by registering them in Azure AD with x509 certificates. With the purpose of pulling down Azure Key Vault secrets into our dev / production applications. I am currently looking for a solution to do this with our asp.net 4.7.2 MVC web applications. Ideally this would update our web.config appSettings and connections strings automatically like it does when using the built in User Secrets file locally and like it does with our json files in the .net Core / 5 apps.
Currently I have the registered app and associated cert in Azure AD. The registered app has permissions to the Key Vault. If I open the app locally and add a connected service -> Azure Key Vault when signed into VS with an account that has access to my Azure domain, it all works without issue. Keys are replaced in my web.config with those values stored in Azure Key Vault instead of using what is saved in my local user secret file. Example of web.config config builder for reference:
<add name="AppSettings_AzureKeyVault" vaultName="vault-name" vaultUri="https://vault-name.vault.azure.net/" prefix="AppSetting-" stripPrefix="true" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
How do I adjust this approach so that I can load and use the x509 certificate as opposed to having to be logged in as a specific user that has access to the key vault? Assuming there is something I would need to do in Global.asax or Startup.cs like I have done in the past with OWIN setups but uncertain on where to start there.
• I would suggest you to please refer to the following link regarding configuring certificate authentication in ASP.NET core application as it suggests using and importing an ‘Microsoft.AspNetCore.Authentication.Certificate’ Nuget package first and then calling the ‘builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme).AddCertificate(...);’ class in the ‘Program.cs’ file of the application. Then configure the certificate validation through the ‘CertificateAuthenticationOptions’ handler that performs some validations that should be performed on a certificate and then it can be incorporated and used in the ASP.Net application.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-6.0
Once, the above stated has been done as told in the link, then you can try again to connect to your application hosted in the Azure API Management service through this certificate. For more information regarding configuration of Azure Keyvault in ASP.Net application and retrieving the certificate details from there to use it in your application, you can also refer to the below related documentation links: -
https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-6.0