• 12

We have legacy SOAP Web Services (https://dev-ms01/Services/default.asmx) which are written in asp.net 1.1 hosted on IIS7(win server 2008 standard),web services consumed by clients by providing Client Certificate. For the SSL Certificates settings we have Accept on this IIS

`Client(Request with SSL Client Certificate)--> IIS7 (on host dev-ms01)--> Asp.Net SOAP WebServices`

Now I'm trying to set up proxy IIS(IIS10 on win server 2016 64bit host secure-dev-ms01) with revere proxy for the IIS7. I've followed msdn article https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/ to configure URL rewrite with ReverseProxy as below

`Client(Request with SSL Client Certificate)--> Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01)--> IIS7 (on host dev-ms01) --> Asp.Net SOAP WebServices`

On the IIS10(host secure-dev-ms01) for the SSL Certificates settings I've chosen Accept and I've tried the below ReverseProxy configuration enter image description here. When I'm trying to browse the proxy web services URL as https://secure-dev-ms01/Services/default.asmx it is prompting the client certificate but after providing the client certificate am seeing below error

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

I've tried using below RevereProxy as wellenter image description here and tried browsing the proxy web services URL https://secure-dev-ms01/Services/default.asmx and provided the client certificate but still am seeing below error. I've also tried unchecking the option Enable SSL Offloading for both of the above RevereseProxy configurations, but that didnt work either

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

I found this msdn article https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/ which suggests changingSSL Certificates settings to Ignore on the backend server(but we can not adopt this for our organization) and try using the certificate from the headers X-ARR-ClientCert but we are trying to avoid making any code changes to the legacy asp.net 1.1 services

I couldnt find any relevant articles that could make IIS ARR ReverseProxy with Client Certificate Authentication work for backend IIS with just configuration tweaks on the IIS10 with ReverseProxy instead of code/config change on the backend IIS7, can someone please help me to make this work?

I assume you have IIS7 (on host dev-ms01) machine in a secured network with no direct access from the Internet.

In this case, you need to enable SSL offloading and client certificate authentication on Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01) only and disable SSL offloading and certificate auth in IIS7.

In this scheme, IIS10 is responsible for the SSL handshake and certificate validation. It places the certificate (POM) into X-ARR-ClientCert header and proxy-passes requests to IIS7 via plain HTTP including this header. Probably you need to setup by-passing of X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Schema and X-Forwarded-Host headers on IIS10, in the rewrite URL rule, if your ASP services have any use for them.

So, for your IIS10 server:

  • enable ARR
  • add a rewrite URL rule to proxy-pass to IIS7
  • setup by-passing of the headers above in the rewrite rule
  • add a server certificate
  • require SSL in the SSL settings of the Default Web Site
  • set the client certificates setting equal to Accept
  • enable anonymous authentication for your site
  • setup https bindings with the server certificate

For the IIS7 server:

  • disable HTTPS bindings
  • do not require SSL
  • do not require client certificates

Hopefully, you'll get the next scheme working

Browser ---[HTTPS]---> IIS10 --[HTTP + headers]--> IIS7

where headers are X-ARR-ClientCert, X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Schema, and X-Forwarded-Host.

  • 0
Reply Report
      • 2
    • IIS7 (on host dev-ms01) machine in a secured network and it does have direct access from the Internet, but it support TLS 1,TLS 1.1 and TLS 1.2, we need an instance with only TLS1.2 so we are setting up a proxy IIS10 which supports only TLS1.2 and forwards all the requests to IIS7. So In production we will be maintaining both IIS7 and IIS10 thats why we are trying to avoide making any code/config changes to the IIS7
    • A client certificate exchange is done during the SSL handshake between a client and a server. When a browser connects to IIS10 or IIS7 (probably via proxies which don't do SSL offloading), the browser is the client and IIS is the server. That's a usual thing. Another thing is the case when a browser connects to IIS10 via HTTPS (browser is the client, IIS10 is the server) and then IIS10 connects to IIS7 also via HTTPS. Here IIS10 is the client in the SSL handshake and it should provide a client certificate if IIS7 requires it. That's the problem. I don't know how to setup it, sorry.
      • 2
    • As far as I know, the client certificate auth is usually done between client and server without any intermediating SSL offloading proxies. By "server" here I mean not the ASP backend but any server that supports SSL offloading (IIS, nginx, apache, and etc).

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags