I have an IIS server configured with ARR to reverse proxy requests to a backend server. The backend server requires client certificate authentication, however, it only needs to authenticate the reverse proxy (not the end user).
The end user authentication is passed inside the content of the request and is not the problematic part.
End User -->-- IIS with ARR -->(mutual SSL)>-- Backend web server
How does one configure the client certificate in IIS or ARR?
When searching around, I often find questions and threads related to forwarding the client certificate from the end user to the backend server and this is not possible. Further, these usually indicate to turn off client certificate authentication on the backend server but this must remain on.
Here are some questions I found, but they all relate to the end-user client certificate:
Best Answer
Chances are Microsoft ARR is using CAPI to store its certificates, but there are no guarantee that ARR will use it even if you make the certificate available to it. Client side authentication requires extra code, and your requirements are not that common. It could have been overlooked and left behind...
To make your client certificate available to a service, you have to edit its "MY" CAPI store. Run mmc.exe from an elevated prompt and add the certificate snap-in. You will have to select which CAPI store to use. Select the computer's store. Import your certificate in the "Personal certificates", making sure you imported the private key with it (it will say so when you go back and view the certificate you imported).
If adding your certificate to the computer store does not work, try the service store. This will be required if ARR runs with its own identity.
I also had an issue with AD-LDS where the service did not have read access to the private key. This article was helpful, but it might be too far off for ARR. Look for ADAM special case in that page, the command you are looking for is