IIS Proxy using ARR to provide client certificate over SSL

Question

I have configured a IIS 7 Proxy using ARR under Windows 2008 R2. My goal is to let the IIS proxy provide a client certificate when performing a WebService call. See "diagram" below.

1. Server A -(SOAP call over https)-> IIS Proxy -(SOAP call over https)-> Server B (External WS)
2. Server B -(Client certificate request)-> IIS Proxy (Provides public part of PKCS12 cert)
3. IIS Proxy -(Sends certificate and completes TLS handshake)-> Server B
4. Server A -(Sends SOAP message)-> IIS Proxy -(SOAP message)-> Server B
5. Server B -(response)-> IIS Proxy -(response)-> Server A

I get as far as step 1, then I receive error "HTTP Error 502.3 - Bad Gateway" (0x80072f0c) Err.exe reports 0x80072f0c as error "ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED".

I have imported the PKCS12 certificate to IIS. I have imported the PKCS12 certifier to "Intermediate Certification Authorities" and "Trusted Root Certification Authorities" for PKCS12 certificate using mmc.

What am I missing here?

Answer 1

I have learned that IIS 7.5 cannot solve this problem. IIS + ARR cannot provide the certificate on "Server A"s behalf.

This is can however be solved using a proxy under Apache.

I would be happy for someone to prove me wrong!

Answer 2

I am looking at implementing something similar to you and found this http://blogs.msdn.com/b/asiatech/archive/2014/01/28/configuring-arr-with-client-certificate.aspx which seems to suggest that you can pass client certs from the client through a ARR proxy to backend servers.

Thanks,

Jon