We have legacy SOAP Web Services (https://dev-ms01/Services/default.asmx
) which are written in asp.net 1.1 hosted on IIS7(win server 2008 standard),web services consumed by clients by providing Client Certificate. For the SSL Certificates
settings we have Accept
on this IIS
`Client(Request with SSL Client Certificate)--> IIS7 (on host dev-ms01)--> Asp.Net SOAP WebServices`
Now I'm trying to set up proxy IIS(IIS10 on win server 2016 64bit host secure-dev-ms01
) with revere proxy for the IIS7. I've followed msdn article https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/ to configure URL rewrite with ReverseProxy as below
`Client(Request with SSL Client Certificate)--> Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01)--> IIS7 (on host dev-ms01) --> Asp.Net SOAP WebServices`
On the IIS10
(host secure-dev-ms01
) for the SSL Certificates
settings I've chosen Accept
and I've tried the below ReverseProxy configuration . When I'm trying to browse the proxy web services URL as
https://secure-dev-ms01/Services/default.asmx
it is prompting the client certificate but after providing the client certificate am seeing below error
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
I've tried using below RevereProxy
as well and tried browsing the proxy web services URL
https://secure-dev-ms01/Services/default.asmx
and provided the client certificate but still am seeing below error. I've also tried unchecking the option Enable SSL Offloading
for both of the above RevereseProxy configurations, but that didnt work either
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
I found this msdn article https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/ which suggests changingSSL Certificates
settings to Ignore
on the backend server(but we can not adopt this for our organization) and try using the certificate from the headers X-ARR-ClientCert
but we are trying to avoid making any code changes to the legacy asp.net 1.1 services
I couldnt find any relevant articles that could make IIS ARR ReverseProxy with Client Certificate Authentication work for backend IIS with just configuration tweaks on the IIS10 with ReverseProxy instead of code/config change on the backend IIS7, can someone please help me to make this work?