Client IP address with client certificate auth

Hello community,

Our customer have HAproxy instalation with tcp mode configuration, balancing load between two IIS servers.
That works fine, but it shows NLB’s IP as client’s, which is a problem.

Switching to http mode and enabling x-forwarded-for works, but…

Web app needs clients to authenticate, and there are two methods - username and password, or client certificate card.
User/pass auth works fine and users get the service, but when using authentication with client certificate, users get rejected (probably due to package decryption, adding x-forward field and then re-encryption with haproxy’s cert).

Is there a way to make client IP address visible in IIS logs while using tcp mode, or any other solution for client IP visibility and personal certificate authentication on haproxy?

Thank you,