I have IIS ARR set up as a reverse proxy with a web app sitting behind it. If I send a HTTPS request to the proxy with a value in the X-ARR-ClientCert header then that value won't reach the web app. How can this be fixed?
I've set SSL Settings to accept client certificates. As per this guide I also changed the system.webServer/proxy configuration field to be something else then X-ARR-ClientCert without success.
The proxy passes any other header through properly.
Best Answer
X-ARR-ClientCert is sent if there was a mutual SSL handshake with ARR. Sending a request via https with the X-ARR-ClientCert header won't be enough as there really wasn't a mutual SSL handshake in that scenario. By a mutual SSL handshake, It means that the browser or client gets prompted for a client certificate and the client provides one.
If you want your setup to work with the X-ARR-ClientCert header, I'd recommend to install ARR Helper. One of its features is that it reads the X-ARR-ClientCert header (configurable to be any arbitrary header with a base64 encoded certificate) and it emulates the requests to have the client certificate.