This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Dear all,
I have running a WAP (Server 2019) and an IIS (10.0). On IIS, a website is running, https://te.contoso.com/.
A subfolder (te.contoso.com/subfolder) is protected by one-to-one client certificate authentication.
This is working fine, as long I am inside the network. As soon I go via WAP to the protected subfolder, I get an error 403 from IIS (every time with the same device).
WAP is configured as pass through (https://te.contoso.com to https://te.contoso.com). https://te.contoso.com itself is working from external as well.
Only https://te.contoso.com/subfolder displays 403.
How do I have to configure WAP or is this not possible like this?
Seems like WAP is not delivering the client certificate IIS.
Thanks for your help!
My understanding is that the WAP is terminating the TLS tunnel and establishing a new TLS session with the backend. In this context, the client never talks to the backend directly making the TLS authentication impossible.
You could configure the subfolder to use WS-Federation and federate with ADFS. Then you could enable Certificate Based authentication in the authentication policy in ADFS (both internally and externally), and force the application to request certificate based authentication. More of a workaround but that would do the trick.
Thanks for your explanation!