Enable 'client certificate authentication' per directory
I have a site that only part of it needs to be secured with client certificate authentication, it is able to be enabled on the site level but not the directory level as per this article.
thanks for the feedback. This is not currently possible as client cert auth on App Service is in require mode and as such cannot be delegated to folder level.
We will review this item and your feedback, we may look to implement this capability based on customer prioritization.
This would also let traffic manager work with client certificates. It doesn't currently.
Is there any update on this issue? Are there any workaround to allow Client Certificate only for certain endpoints? The moment we enable clientCert it's unnecessarily prompting certificate for all endpoints which is not acceptable. This is a blocker for us to move to Web App. Any updates would be highly appreciated!
Has there been any progress on this request?
Richard Barel commented
We also have an API with mixed authentication... supporting Client Certificates on some endpoints and basic auth on others. This is working in an AWS VM but need it to work in the Azure App Service Plan too.
Hi Andrew, is there any progress on review, we are still in need of this as a requirement to use azure web apps.
How is the review for this request going, we have the same use case as Andy where we need client cert authentication to be enabled for parts of the website, it would be good to see feature parity for client cert authentication with IIS.
Andy Atyeo commented
Another customer here - hoping this can get implemented.
My company also finds the restrictions on Azure client certificate authentication a problem. In some cases this means we cannot implement features we would like to, and in other cases means we cannot use Azure webapps/appservices for our solution
The limitations are:
1. cant enable client cert auth per directory (URL)
2. Azure doesnt support 'Allow Client Certificates' (it is either on or off). IIS supports this 'allow' mode. This means some use-cases where server code has to use client cert auth for some calls but not others is not possible. This could have been another way to work around the previous restriction (which again would have been possible in IIS but not in Azure).