ARR with SSL Mutual AuthenticationRSS

3 replies

Last post Sep 18, 2013 05:25 PM by sunseeker

  • ARR with SSL Mutual Authentication

    Apr 28, 2009 07:41 PM|Poobalan.Naidoo|LINK

    I would like to use ARR on a front end server to do Load Balancing to 3 Backend IIS 7.0 Web Servers. The Backend servers accept requests only from clients thats have a valid client certificate. I am able to get it all to work using https only if the Backend is configure to not require Client certificates. The moment I enable the Require Client certificate option the ARR server responds with "502 - Web server received an invalid response while acting as a gateway or proxy server." I appears that the ARR server is not passing the client certificate to the Backend server which then is responding with an error.

    I'm not sure if ARR supports mutual authentication or if what I want to achieve is even possible. Any help/advice in this regard will be appreciated.

    Application Request Routing port https http webfarm

  • Re: ARR with SSL Mutual Authentication

    May 08, 2009 04:35 PM|anilr|LINK

    There is no way in the https protocol to have a proxy "delegate" the client certificate to the backend web-server.  However, if you install the ARR Helper module on the backend web-server, it can use the information about the client-certificate that ARR transmits as headers (assuming you first require client-certificate on the ARR machine) to create the data structures needed to make IIS on the backend server think that it actually received a client-certificate.  Note that the backend web-server is not receiving a real client certificate in this case, so all operations with the client certificate will not work.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: ARR with SSL Mutual Authentication

    May 08, 2009 06:06 PM|Poobalan.Naidoo|LINK

    Thanks for the reply. The ARR is a very nice add on for IIS. I have gone back to using the Network load Balancing service which does only the routing of requests to backend servers and works nicely with the certificates but no application level checking. The ARR does excellent Application routing but no HTTPS routing like NLBS. Would like to see something like a merge between NLBS and ARR as they each seem to be missing something that the other has in order to be a very powerful Load Balancing solution.




  • Re: ARR with SSL Mutual Authentication

    Sep 18, 2013 05:25 PM|sunseeker|LINK

    Hi, Is there any way to debug ARR Helper?

    I'm wasted some hours, but still unable to reconstruct client ssl certificate on the backend IIS, due to headers content - it is forwarded:

    X-ARR-ClientCert: MIIF0TCCBL.........

    ARR Helper is installed in IIS, also I've tried to change it order in modules list, but still no effect - 401 Unauthorized

    All ssl server certs identical and valid on AAR machine and Backend IIS.

    SSL-offloading - disabled.