How do I make IIS isapi redirector forward client certificate to Tomcat via AJP

Question

I have an isapi_redirect component v.1.2.42 installed as an ISAPI filter on IIS and I want to forward requests from IIS to Tomcat via AJP. The problem I'm facing now is that if I use client certificates, the requests that are being forwarded over AJP doesn't seem to contain client certs, even though the incoming request to IIS has client certificate. Is there a way to tell isapi_redirect to forward client certificates?

I found that for Apache mod_jk the solution is to use SSLOptions +ExportCertData option which will forward client cert, but this option doesn't work for isapi_redirect for IIS. Is there anything I can do to make it pass client certificates?

To my understanding the client cert will be available in your app through a base64 encoded value in the `X-ARR-ClientCert` request header. [See](https://blogs.msdn.microsoft.com/benjaminperkins/2014/06/02/configure-application-request-routing-arr-with-client-certificates/) — Federico Sierra, Jan 23 '18 at 19:11

score 0 · Accepted Answer · answered Jan 24 '18 at 09:32

0

I figured that by default the IIS virtual directory SSL Settings have Client Certificates set to Ignore. I changed that to Accept, and now jk connector for IIS does forward client certificates.

answered Jan 24 '18 at 09:32

username

249
1
4
18

How do I make IIS isapi redirector forward client certificate to Tomcat via AJP

1 Answers1