question

ChristophOnMicrosoft avatar image
0 Votes"
ChristophOnMicrosoft asked ChristophOnMicrosoft commented

Web Application Proxy with IIS client certificate authentication behind

Dear all,

I have running a WAP (Server 2019) and an IIS (10.0). On IIS, a website is running, https://te.contoso.com/.
A subfolder (te.contoso.com/subfolder) is protected by one-to-one client certificate authentication.

This is working fine, as long I am inside the network. As soon I go via WAP to the protected subfolder, I get an error 403 from IIS (every time with the same device).
WAP is configured as pass through (https://te.contoso.com to https://te.contoso.com). https://te.contoso.com itself is working from external as well.
Only https://te.contoso.com/subfolder displays 403.

How do I have to configure WAP or is this not possible like this?
Seems like WAP is not delivering the client certificate IIS.

Thanks for your help!

adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered ChristophOnMicrosoft commented

My understanding is that the WAP is terminating the TLS tunnel and establishing a new TLS session with the backend. In this context, the client never talks to the backend directly making the TLS authentication impossible.

You could configure the subfolder to use WS-Federation and federate with ADFS. Then you could enable Certificate Based authentication in the authentication policy in ADFS (both internally and externally), and force the application to request certificate based authentication. More of a workaround but that would do the trick.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your explanation!

0 Votes 0 ·