Support optional client certificates for TLS mutual auth
Client certificat optional
In IIS the client certificat may be:
- accepted (certificat optional)
- asked (certificat mandatory)
But on app service it can't be "accepted".
We have added the ability to define exclusion paths for cert based authentication.
You can find this under:
Configuration> General settings > Incoming Client Certificate> Certificate exclusion paths
Blog and docs should follow shortly
Achim Kotremba commented
We also need this feature! It's the only thing preventing us to use Azure Web Apps for our use case.
Is there any new information about this feature?
Richard Barel commented
We also have an API with 'accepted' client certificates. Not all of our endpoints require the certificate... some are authenticated with Basic Auth. This is working in an AWS VM but need it to work in the Azure App Service Plan too.
Gábor Domonkos commented
Do you have any progress on this?
Peter Widmer commented
I need this as well!
Yes, this is exactly what i need in my project.
Is there any update available on this feature availability
Shraddha Patle commented
Eagerly waiting for this functionality, any update on this?
Degant Puri commented
Any update on the implementation of the proposed solution? Know a few projects eagerly waiting for this.
Jeff M commented
Proposed solution does not work for my case -- a site that prompts client certificate selection in the browser, but if cancelled, establishes the TLS connection without a client certificate.
It is true that the user has to make this decision on first approach; if user cancels certificate selection or doesn't have an appropriate certificate, there won't be any opportunity to add a client certificate short of restarting the browser. But that is the way it works now with IIS, so is probably acceptable.
Adarsh Sridhar commented
Yes, that proposed solution works for my scenarios. It would serve as a good stop-gap until there is a better solution.
Richard Fuoco commented
Any progress on this?
Hans Olav commented
"What we can do is introduce an option that will forward a client certificate to the app from the FrontEnd if it finds one."
This will work as long as:
1. the client certificate is validated in the TLS handshake.
2. private (not globally trusted) CAs are supported
The most important in 1. is to verify that the client posesses the private key of the certificate. (This cannot easily be done by simply forwarding the certificate, since the server application cannot ask the client to hash a random byte string.)
Mohamed Benaichouche commented
We need this as well :-). We want to use the certificates only for certain critical endpoints.
Martti Kontula commented
Any news on this? The idea of forwarding found client certificate to app would be GREAT! This way, we could have custom client certificate validation in the app itself. Not having the prompt or negotiation isn't that bad since in most cases (ymmv) client certs are used in machine-to-machine communications to get away from stored and expiding credentials.
We need this capability as well, except we need to deal with the fact that some users to a single website have a client certificate, and some users do not. In the case where they do not, we need to handle them differently in the application, vs. users who present a user certificate. This has been maddening try to understand why the SslNegotiateCert web.config value wasn't having the proper effect. It would be nice if the FrontEnd could be modified to give us the option:
That way, it still attempts to prompt the user for the cert, but if they don't have a cert or click Cancel on the dialog, they will still start up the SSL conversation without the client certificate.
Sanjeewa Jayasinghe commented
The suggested solution sounds like right. I am trying to secure an ASP.NET MVC web API via client certificates while securing the UI via AAD auth. So the API could either be authenticated with cert (for jobs) or with AAD (for UI). With the way it is currently implemented in Azure App Service, I cannot achieve this.
Any progress on this? Pretty please! :)
Any chance this could be made on this side of Christmas? i.e. does Christmas come early this year? :)
Yes it will work for our application. Like that we can have only one endpoint.
Yes yes yes! I just want the client certificate to be propagated if the LB finds one (sent along with HttpClient or HttpWebRequest or whatever).
Pls make this happen! That would solve all my authentication problems with Web Apps and make my day - no, year! It would make my year!