Web Application Proxy with IIS client certificate authentication behind

Christoph Thurnheer 81 Reputation points
2020-06-04T18:08:03.78+00:00

Dear all,

I have running a WAP (Server 2019) and an IIS (10.0). On IIS, a website is running, https://te.contoso.com/.
A subfolder (te.contoso.com/subfolder) is protected by one-to-one client certificate authentication.

This is working fine, as long I am inside the network. As soon I go via WAP to the protected subfolder, I get an error 403 from IIS (every time with the same device).
WAP is configured as pass through (https://te.contoso.com to https://te.contoso.com). https://te.contoso.com itself is working from external as well.
Only https://te.contoso.com/subfolder displays 403.

How do I have to configure WAP or is this not possible like this?
Seems like WAP is not delivering the client certificate IIS.

Thanks for your help!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
954 questions
No comments
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2020-06-04T20:01:01.83+00:00

    My understanding is that the WAP is terminating the TLS tunnel and establishing a new TLS session with the backend. In this context, the client never talks to the backend directly making the TLS authentication impossible.

    You could configure the subfolder to use WS-Federation and federate with ADFS. Then you could enable Certificate Based authentication in the authentication policy in ADFS (both internally and externally), and force the application to request certificate based authentication. More of a workaround but that would do the trick.


0 additional answers

Sort by: Most helpful