#StackBounty: #ssl #iis #reverse-proxy #https #asp.net IIS ARR ReverseProxy with Client Certificate Authentication for backend IIS

Bounty: 50

We have legacy SOAP Web Services (https://dev-ms01/Services/default.asmx) which are written in asp.net 1.1 hosted on IIS7(win server 2008 standard),web services consumed by clients by providing Client Certificate. For the SSL Certificates settings we have Accept on this IIS

`Client(Request with SSL Client Certificate)--> IIS7 (on host dev-ms01)--> Asp.Net SOAP WebServices`

Now I’m trying to set up proxy IIS(IIS10 on win server 2016 64bit host secure-dev-ms01) with revere proxy for the IIS7. I’ve followed msdn article https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/ to configure URL rewrite with ReverseProxy as below

`Client(Request with SSL Client Certificate)--> Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01)--> IIS7 (on host dev-ms01) --> Asp.Net SOAP WebServices`

On the IIS10(host secure-dev-ms01) for the SSL Certificates settings I’ve chosen Accept and I’ve tried the below ReverseProxy configuration enter image description here. When I’m trying to browse the proxy web services URL as https://secure-dev-ms01/Services/default.asmx it is prompting the client certificate but after providing the client certificate am seeing below error

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

I’ve tried using below RevereProxy as wellenter image description here and tried browsing the proxy web services URL https://secure-dev-ms01/Services/default.asmx and provided the client certificate but still am seeing below error. I’ve also tried unchecking the option Enable SSL Offloading for both of the above RevereseProxy configurations, but that didnt work either

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

I found this msdn article https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/ which suggests changingSSL Certificates settings to Ignore on the backend server(but we can not adopt this for our organization) and try using the certificate from the headers X-ARR-ClientCert but we are trying to avoid making any code changes to the legacy asp.net 1.1 services

I couldnt find any relevant articles that could make IIS ARR ReverseProxy with Client Certificate Authentication work for backend IIS with just configuration tweaks on the IIS10 with ReverseProxy instead of code/config change on the backend IIS7, can someone please help me to make this work?


Get this bounty!!!

Leave a Reply