I'm running Windows Server 2012 R2 with CloudFlare in front and trying to setup authenticated origin pulls as specified here –
https://support.cloudflare.com/hc/en-us/articles/204899617
The problem I'm running into is even after going through the steps to enable client certificate authentication, still getting a 403 Forbidden Access when trying to hit the site via CloudFlare. I used part of the guide here to setup things on IIS –
https://support.microsoft.com/en-us/kb/315588
The steps I've done are:
- Enabled Authenticated Origin Pulls on CloudFlare Account
- IIS SSL Settings -> Require SSL + Client Certificates: Require
- Configuration Editor -> iisClientCertificateMappingAuthentication
- enabled -> True
- oneToOneMappings -> Add -> Valid Windows Username/Password + Certificate attached to bottom of the CloudFlare support article above
Seems like I must be missing a step somewhere?
Best Answer
For anyone who stumbled upon this, after tracing the error, I figured out the step I missed was importing the CloudFlare client cert to Local Machine -> Trusted Root Certification Authorities.
Edit: This actually just solves one half of the issue. The problem is, this adds CloudFlare certs as trusted, and lets them authenticate. However, any other trusted cert/client can also do the same.
To actually authorize specific certs (signed by the CloudFlare cert), there has to be some other method, I'm guessing the "many to one" Certificate Mapping in IIS.
Edit 2: This worked just fine, added a new many to one mapping rule, and mapped any client certificates issued by the trusted root CloudFlare Cert to my web/Windows user.