We welcome user feedback and feature requests!

← Web Apps

Enable 'client certificate authentication' per directory

I have a site that only part of it needs to be secured with client certificate authentication, it is able to be enabled on the site level but not the directory level as per this article.

https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth

434 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Alex shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
under review  ·  AdminAzure App Service team (Product Owner, Microsoft Azure) responded  · 

Hi,
thanks for the feedback. This is not currently possible as client cert auth on App Service is in require mode and as such cannot be delegated to folder level.

We will review this item and your feedback, we may look to implement this capability based on customer prioritization.

Thanks

Andrew

13 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Alex commented  ·   ·  Flag as inappropriate

    Hi Andrew

    Is there any progress on looking to implement this feature? It shouldn't be too difficult since IIS already allows for this functionality.

    Alex

  • John Delisle commented  ·   ·  Flag as inappropriate

    This could also serve to address App Service with Client Cert Auth incompatibility with Azure Traffic Manager.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This would also let traffic manager work with client certificates. It doesn't currently.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Hi Andrew,

    Is there any update on this issue? Are there any workaround to allow Client Certificate only for certain endpoints? The moment we enable clientCert it's unnecessarily prompting certificate for all endpoints which is not acceptable. This is a blocker for us to move to Web App. Any updates would be highly appreciated!

    Thanks,
    Deva

  • Richard Barel commented  ·   ·  Flag as inappropriate

    We also have an API with mixed authentication... supporting Client Certificates on some endpoints and basic auth on others. This is working in an AWS VM but need it to work in the Azure App Service Plan too.

  • Alex commented  ·   ·  Flag as inappropriate

    Hi Andrew, is there any progress on review, we are still in need of this as a requirement to use azure web apps.

    Alex

  • Alex commented  ·   ·  Flag as inappropriate

    Hi, Andrew

    How is the review for this request going, we have the same use case as Andy where we need client cert authentication to be enabled for parts of the website, it would be good to see feature parity for client cert authentication with IIS.

    Alex

  • Andy Atyeo commented  ·   ·  Flag as inappropriate

    Another customer here - hoping this can get implemented.

    My company also finds the restrictions on Azure client certificate authentication a problem. In some cases this means we cannot implement features we would like to, and in other cases means we cannot use Azure webapps/appservices for our solution

    The limitations are:
    1. cant enable client cert auth per directory (URL)
    2. Azure doesnt support 'Allow Client Certificates' (it is either on or off). IIS supports this 'allow' mode. This means some use-cases where server code has to use client cert auth for some calls but not others is not possible. This could have been another way to work around the previous restriction (which again would have been possible in IIS but not in Azure).

Web Apps

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice