Your SSL certificate provider should have specific instructions on what certificates need to be in the intermediate and root stores on the server. You can access the certificate store using the Certificates MMC snap-in (certmgr.msc).
I'm having the exact same issue. As xxyyzz stated, when connecting directly to a backend server it works fine so I doubt it's a bad certificate chain. The issue is only when routing through the ARR server. I've managed to find a forum post with a reasonable
explanation here: http://forums.iis.net/t/1157253.aspx He states that ARR does not forward the client certificate. So, if the backend server requires a client cert the request will fail. He suggested that the ARR server forward
the certificate details in headers and be reconstructed on the backend server, but wouldn't that leave the backend servers vulnerable to spoofing via a direct connection? Maybe if they were behind a firewall to only accept connections from the ARR server...
Maybe one day Microsoft will allow ARR to forward client certificates, otherwise it looks like if you're doing client certificate authorization ARR is not a good fit.
Hi. Faceing the same problem. Possibly you use self signed certificates? Possibly than the process is not able tom read your trusted certificate store?
xxyyzz
8 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 03:07 PM|LINK
Im not sure how to actually view the certificate chain
owjeff
680 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Mar 28, 2011 03:12 PM|LINK
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
Vimm
1 Post
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Nov 18, 2011 04:03 PM|LINK
I'm having the exact same issue. As xxyyzz stated, when connecting directly to a backend server it works fine so I doubt it's a bad certificate chain. The issue is only when routing through the ARR server. I've managed to find a forum post with a reasonable explanation here: http://forums.iis.net/t/1157253.aspx He states that ARR does not forward the client certificate. So, if the backend server requires a client cert the request will fail. He suggested that the ARR server forward the certificate details in headers and be reconstructed on the backend server, but wouldn't that leave the backend servers vulnerable to spoofing via a direct connection? Maybe if they were behind a firewall to only accept connections from the ARR server...
Maybe one day Microsoft will allow ARR to forward client certificates, otherwise it looks like if you're doing client certificate authorization ARR is not a good fit.
Adrian B.
7 Posts
Re: HTTP Error 502.3 - Bad Gateway A security error occurred
Jan 19, 2012 09:06 AM|LINK