IIS 7 and Above
Application Request Routing (ARR)
ARR with SSL Mutual Authentication
Last post Sep 18, 2013 05:25 PM by sunseeker
Apr 28, 2009 07:41 PM|Poobalan.Naidoo|LINK
I would like to use ARR on a front end server to do Load Balancing to 3 Backend IIS 7.0 Web Servers. The Backend servers accept requests only from clients thats have a valid client certificate. I am able to get it all to work using https only if the Backend
is configure to not require Client certificates. The moment I enable the Require Client certificate option the ARR server responds with "502 - Web server received an invalid response while acting as a gateway or proxy server." I appears that the ARR server
is not passing the client certificate to the Backend server which then is responding with an error.
I'm not sure if ARR supports mutual authentication or if what I want to achieve is even possible. Any help/advice in this regard will be appreciated.
Application Request Routing
May 08, 2009 04:35 PM|anilr|LINK
There is no way in the https protocol to have a proxy "delegate" the client certificate to the backend web-server. However, if you install the
ARR Helper module on the backend web-server, it can use the information about the client-certificate that ARR transmits as headers (assuming you first require client-certificate on the ARR machine) to create the data structures needed to make IIS on the
backend server think that it actually received a client-certificate. Note that the backend web-server is not receiving a real client certificate in this case, so all operations with the client certificate will not work.
May 08, 2009 06:06 PM|Poobalan.Naidoo|LINK
Thanks for the reply. The ARR is a very nice add on for IIS. I have gone back to using the Network load Balancing service which does only the routing of requests to backend servers and works nicely with the certificates but no application level checking.
The ARR does excellent Application routing but no HTTPS routing like NLBS. Would like to see something like a merge between NLBS and ARR as they each seem to be missing something that the other has in order to be a very powerful Load Balancing solution.
Sep 18, 2013 05:25 PM|sunseeker|LINK
Hi, Is there any way to debug ARR Helper?
I'm wasted some hours, but still unable to reconstruct client ssl certificate on the backend IIS, due to headers content - it is forwarded:
ARR Helper is installed in IIS, also I've tried to change it order in modules list, but still no effect - 401 Unauthorized
All ssl server certs identical and valid on AAR machine and Backend IIS.
SSL-offloading - disabled.