Authenticated Origin Pull and IIS


#1

Hi folks

I am trying to configure AOP on a test site and wondering where this is going wrong…

  1. Added iisClientCertificateMappingAuthentication role to IIS 8
  2. Disabled all Authentication forms, except for Windows Auythentication
  3. Changed SSL Settings to Require SSL | Require Client Certificate
  4. Added Cloudflare Certificate from https://support.cloudflare.com/hc/en-us/articles/204899617 to the Trusted Root Certificate Authorities showing as “origin-pull.cloudflare.net
    5.Open IIS Manager, go to site, open Configuration Editor and navigate to system.webServer/security/authentication/iisClientCertificateMappingAuthentication

At this point I tried to add a Many-to-one relationship but whatever I do my site returns 403.

Are there some specific instructions on how create the relationship, identify the certificate, etc?

The blog post https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/ mentioned instructions would be added but there’s nothing for IIS there.

Any ideas?

Thanks!


#2

Hi @freitasm,

I’m by no means an IIS expert, but what error logs do you have when the HTTP 403 is served? I wonder if Request Tracing would reveal something about why IIS is not able to authenticate the “client” (in this case Cloudflare):


#3

403 is the expected HTTP result if authentication fails - it fails because I have not completed the final step, which is to create the one-to-many relationship between certificate and user. This is the missing piece of the puzzle.


#4

@freitasm have you completed any of this part:

Perhaps you can paste the configuration you have here and any IIS users can maybe advise on the specific structure you need to set this up. It seems the part that’s not really clear is exactly how you’d map this client certificate expectation across the entire site (e.g. “all users”).