locked
client certificate authentication with IIS ARR RRS feed

  • Question

  • I've made an IIS 10 with ARR on a DMZ windows server 2019 not domain joined to reverse proxy to OWA (exchange 2016) with client certificate authentication.

    I get error 402.1. Here's some details. On ISS ARR side, In GENERAL_SET_REQUEST_HEADER, i can see the client certificate. Compared thumbprint and it's the good certificate. On ISS OWA side, i can see in GENERAL_REQUEST_HEADER my X-ARR-ClientCert with the same good certificate.

    But, OWA do not seems to see it, because i'm redirected to NTLM authentication (with 402.1 error on my logs).

    I've seen that SSL settings and binding to https shall be disabled on backend. but when i bind only on http, OWA does not work. i seems to work only on https.

    From lan address, when ssl settings ask for certificate, it works.

    What should i do to make client certificate authentication working from ARR? I can put logs if needed to help me. Thanks.

    Thursday, March 7, 2019 8:11 AM

Answers

  • Hi,

    How do you configure ARR with client certificate? Here are some steps to configure the servers and have the client certificate passed through to the backend application server. 

    1. First of all, please ensure the ARR server have the SSL enabled and the client certificate required. 

    2. The backend application server should not have Accept/Require client certificates configured; otherwise, 502 will be returned from ARR server when trying to access the page.

    3. Then the client certificate will be passed to the backend server as HTTP header with the default header configured as “X-ARR-ClientCert”.

    4. And the certificate can be retrieved from backend server in this way:

            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

            string cert = Request.Headers["X-ARR-ClientCert"];

            X509Certificate2 x509Cert2 = new X509Certificate2(encoding.GetBytes(cert));

    5. Furthermore, you can change the header name to use your custom one or leave the header as blank so that no client certificate will be passed through. 

    For more information, please refer to the step-by-step walkthrough.

    Configuring ARR with Client Certificate

    Regards, 

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams. 

    • Marked as answer by waaalex Friday, March 29, 2019 1:59 PM
    Friday, March 8, 2019 5:38 AM
  • Apology for the confusion.

    The authentication protocol required to support Windows Authentication on the ARR server is Anonymous. So it should be ENABLED not disabled.

    The installation and configuration of the ARR Server Farm is required here. After configuring ARR server farm, if you were to access the ARR URL from a client machine at this point, you would get a challenge response/credential pop up. This is expected at this stage.

    Please refer to the following blog and check if you have completed the latter steps.

    Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by waaalex Friday, March 29, 2019 1:59 PM
    Thursday, March 14, 2019 9:55 AM

All replies

  • Hi,

    How do you configure ARR with client certificate? Here are some steps to configure the servers and have the client certificate passed through to the backend application server. 

    1. First of all, please ensure the ARR server have the SSL enabled and the client certificate required. 

    2. The backend application server should not have Accept/Require client certificates configured; otherwise, 502 will be returned from ARR server when trying to access the page.

    3. Then the client certificate will be passed to the backend server as HTTP header with the default header configured as “X-ARR-ClientCert”.

    4. And the certificate can be retrieved from backend server in this way:

            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

            string cert = Request.Headers["X-ARR-ClientCert"];

            X509Certificate2 x509Cert2 = new X509Certificate2(encoding.GetBytes(cert));

    5. Furthermore, you can change the header name to use your custom one or leave the header as blank so that no client certificate will be passed through. 

    For more information, please refer to the step-by-step walkthrough.

    Configuring ARR with Client Certificate

    Regards, 

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams. 

    • Marked as answer by waaalex Friday, March 29, 2019 1:59 PM
    Friday, March 8, 2019 5:38 AM
  • Hello, thank you for your answer.

    I've configured as you said, excepted for point 4.

    4. And the certificate can be retrieved from backend server in this way:

            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

            string cert = Request.Headers["X-ARR-ClientCert"];

            X509Certificate2 x509Cert2 = new X509Certificate2(encoding.GetBytes(cert));

    Where shall i put this on backend server? (on which file or location?)

    Thanks.

    Friday, March 8, 2019 7:37 AM
  • Hi,

    Sorry for late reply.

    You don't need to add the lines anywhere. It just shows how ARR pass the certificate to backend server.

    Do you disable Anonymous authentication in IIS ARR? If no, you can try to disable anonymous authentication and see if it helps.


    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 12, 2019 9:44 AM
  • Hello,

    It does not help.

    When disable anonymous auth on IIS ARR, i get error 401.2 and nothing is passed to backend server.

    X-ARR-Clientcert is not inserted on header.

    Regards.

    Tuesday, March 12, 2019 10:13 AM
  • Apology for the confusion.

    The authentication protocol required to support Windows Authentication on the ARR server is Anonymous. So it should be ENABLED not disabled.

    The installation and configuration of the ARR Server Farm is required here. After configuring ARR server farm, if you were to access the ARR URL from a client machine at this point, you would get a challenge response/credential pop up. This is expected at this stage.

    Please refer to the following blog and check if you have completed the latter steps.

    Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by waaalex Friday, March 29, 2019 1:59 PM
    Thursday, March 14, 2019 9:55 AM
  • Ok ;)

    With anon auth enabled on ARR, when i connect to ARR, it ask for a client certificate and then backend server ask for credentials with popup.

    But i want client certificate to be passed to backend server (OWA here) to authenticate (like a SSO). Is it possible?

    Followed these steps : https://blogs.msdn.microsoft.com/benjaminperkins/2014/06/02/configure-application-request-routing-arr-with-client-certificates/

    X-ARR-clientcert is present in the header (see last capture) but not interpreted by OWA.

    Thanks.

    EDIT : I've found script for verify : https://docs.microsoft.com/fr-fr/azure/app-service/app-service-web-configure-tls-mutual-auth

    I've done some modifications, but now, i wonder where to put this code.

    Thanks.

    • Edited by waaalex Thursday, March 14, 2019 1:27 PM some more informations
    Thursday, March 14, 2019 10:03 AM
  • Have you read this blog? According to the blog, you can use Kerberos authentication with ARR and won't get the credential prompt. 

    For the Azure issue, I'd recommend you to ask questions in Azure forum where you will get the most qualified pool of respondents.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 19, 2019 8:33 AM
  • Ok i will test that. Note that my ARR is not domain joined.

    I do not have azure issue, my OWA is on premise, the script for web service is checking X-arr-clientcert but i don't know where to put it in my OWA.

    EDIT : I doesn't work because ARR is not domain joined.


    • Edited by waaalex Tuesday, March 19, 2019 10:01 AM
    Tuesday, March 19, 2019 9:45 AM
  • Hi,

    I'm consulting with Microsoft team about the issue. If there is any progress, I will post it here at once.

    Thanks for your patience and understanding.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 22, 2019 9:49 AM
  • Hi,

    Can you log on to OWA without error prompting if bypassing ARR? To narrow down the issue, please do a test and check the result. 

    Feel free to let me know if there is any update.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 29, 2019 10:00 AM
  • Yes it works.

    Thank you for help.

    I won't search anymore.

    Now, i can connect with certificate to ARR, ARR gives me login page for exchangE.

    It's good like this.

    It works with active sync too.

    Thank you very much.

    Friday, March 29, 2019 1:58 PM