I'm looking to secure an ASP.NET MVC application with SSL and client certificate authentication. I'm using IIS 7.5, Windows Server 2008 R2.

I'd like to know whether it's possible to do the following through Web.config (it has to be through there!)

1. Require SSL communication for all requests
2. Map multiple client certificates to a single user
3. Require the user to be authenticated

Also, any pointers on how to go on about doing this, any tutorials or other relevant resources will be much appreciated as I'm new to pretty much all of these things.

So, to answer my own questions.. all of the above can be achieved through the Web.config. The following section of the Web.config requires SSL through the system/access section, and configures many-to-one client certificate mapping. These sections are locked in the applicationHost.config so anyone wishing to edit them in the Web.config will need to unlock them. There are many tutorials on that so I won't go into it.

        <security>
            <access sslFlags="Ssl, SslNegotiateCert" />
            <authentication>
                <anonymousAuthentication enabled="false" />
                <iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
                    <manyToOneMappings>
                        <add name="Authentication Certificate"
                             enabled="true"
                             permissionMode="Allow"
                             userName="foo"
                             password="bar">
                            <rules>
                                <add certificateField="Issuer" certificateSubField="CN" matchCriteria="*.stackoverflow.com" compareCaseSensitive="false" />
                            </rules>
                        </add>
                    </manyToOneMappings>
                </iisClientCertificateMappingAuthentication>
            </authentication>
        </security>

Going in order:

1. Require SSL communication for all requests - Yes. In IIS, set the site with only an https binding, and delete the http binding. The site will not respond to http requests. If you do this, you should create a script to redirect 403.4 errors from http://mysite.com to https://mysite.com. You can find many examples of how to do this using various tools.

2. Map multiple client certificates to a single user - I dunno. I will pass on this one.

3. Require the user to be authenticated - Yes. In the web.config file, in the <system.web> element, add the following:

    <authorization>
        <deny users="?"/>
    </authorization>