Authenticated Origin Pull and IIS

Hi folks

I am trying to configure AOP on a test site and wondering where this is going wrong…

  1. Added iisClientCertificateMappingAuthentication role to IIS 8
  2. Disabled all Authentication forms, except for Windows Auythentication
  3. Changed SSL Settings to Require SSL | Require Client Certificate
  4. Added Cloudflare Certificate from https://support.cloudflare.com/hc/en-us/articles/204899617 to the Trusted Root Certificate Authorities showing as “origin-pull.Cloudflare.net
    5.Open IIS Manager, go to site, open Configuration Editor and navigate to system.webServer/security/authentication/iisClientCertificateMappingAuthentication

At this point I tried to add a Many-to-one relationship but whatever I do my site returns 403.

Are there some specific instructions on how create the relationship, identify the certificate, etc?

The blog post https://blog.Cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/ mentioned instructions would be added but there’s nothing for IIS there.

Any ideas?

Thanks!

1 Like

Hi @freitasm,

I’m by no means an IIS expert, but what error logs do you have when the HTTP 403 is served? I wonder if Request Tracing would reveal something about why IIS is not able to authenticate the “client” (in this case Cloudflare):

403 is the expected HTTP result if authentication fails - it fails because I have not completed the final step, which is to create the one-to-many relationship between certificate and user. This is the missing piece of the puzzle.

@freitasm have you completed any of this part:

Perhaps you can paste the configuration you have here and any IIS users can maybe advise on the specific structure you need to set this up. It seems the part that’s not really clear is exactly how you’d map this client certificate expectation across the entire site (e.g. “all users”).

did anyone figure out how to configure this??

What I did (for one-to-one mapping):

  1. Enabled AOP in my account
  2. Downloaded the certificate
  3. Added the certificate in IIS:
    • Certificate: base64-encoded certificate, removing newline characters
    • Username and Password: Leave empty
  4. Site>SSL Settings>Check Require SSL
    • Select Require under Client Certificates
  5. Disable Anonymous Authentication

If you leave “Ignore” selected under SSL Settings you should get a 401 Unauthorized. This indicates that it’s set up correctly. Select “Require” and you will get the web resource at the origin (403 in my case since it’s just an empty folder).

For the many-to-one the process is similar, as @simon posted. But you have to look at the <add/> documentation to get anywhere.

  • In this instance, you only need to download the origin-pull certificate to see what the subject line looks like.

The steps are as follows (after step 2 above):

  1. Add item:
    • name can be anything
    • userName, password must be filled in, but don’t have to tie to anything
  2. Click rules

image

  1. Follow with step 4 above

And that was it. I didn’t have to add the certificate anywhere else. This particular test used the Origin CA certificate option so I get a privacy error when I go the website outside of Cloudflare, but I’m pretty confident that you would just get a 401 as in the test above.

Given the criteria that the many-to-one uses, it seems to be more secure to use the one-to-one and validate against the entire certificate.

Additional Note: There is no UI so I used the Configuration Editor from within the IIS site itself.

2 Likes

i added this section but all i ever got was a gateway timeout
note1: the password string was just some bogus data from the microsoft docs.
note2: we converted the pem to crt format and imported into local computer->personal->certificates, which is where IIS keeps normal ssl server certs.

<system.webServer>





           </oneToOneMappings>
        </iisClientCertificateMappingAuthentication>
     </authentication>
  </security>

my xml didn’t paste correctly…