title | description | ms.date | ms.assetid |
---|---|---|---|
Mitigation: X509CertificateClaimSet.FindClaims Method |
Learn how the X509CertificateClaimSet.FindClaims method has changed for apps that target .NET Framework 4.6.1. |
03/30/2017 |
ee356e3b-f932-48f5-875a-5e42340bee63 |
Starting with apps that target .NET Framework 4.6.1, the xref:System.IdentityModel.Claims.X509CertificateClaimSet.FindClaims%2A?displayProperty=nameWithType method will attempt to match the claimType
argument with all the DNS entries in its SAN field.
This change only affects apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1.
For apps that target previous versions of the .NET Framework, the xref:System.IdentityModel.Claims.X509CertificateClaimSet.FindClaims%2A?displayProperty=nameWithType method attempts to match the claimType
argument only with the last DNS entry.
If this change is undesirable, apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1 can opt out of it by adding the following configuration setting to the <runtime> section of the app’s configuration file:
<runtime>
<AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=true" />
</runtime>
In addition, apps that target previous versions of the .NET Framework but are running under the .NET Framework 4.6.1 and later versions can opt in to this behavior by adding the following configuration setting to the <runtime> section of the app’s configuration file:
<runtime>
<AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=false" />
</runtime>