Enable 'client certificate authentication' per directory
I have a site that only part of it needs to be secured with client certificate authentication, it is able to be enabled on the site level but not the directory level as per this article.
https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth
Alex
shared this idea
Hi,
thanks for the feedback. This is not currently possible as client cert auth on App Service is in require mode and as such cannot be delegated to folder level.
We will review this item and your feedback, we may look to implement this capability based on customer prioritization.
Thanks
Andrew
14 comments
-
Alex
commented
Hi App Service Product Owner
Can you please advise how the review of this item is going, nothing but radio silence for quite a while on this request...
Alex
-
Anonymous
commented
This is pretty common scenario when you have multiple AUTH models - AAD, Token, Client Cert, etc. - please support this standard IIS behavior.
Reference: https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/
-
Alex
commented
Hi Andrew
Is there any progress on looking to implement this feature? It shouldn't be too difficult since IIS already allows for this functionality.
Alex
-
Anonymous
commented
Any updates on this, we have same requirement
-
John Delisle
commented
This could also serve to address App Service with Client Cert Auth incompatibility with Azure Traffic Manager.
-
Alex
commented
Hi App Service Team
Is there any updates on this item?
-
Anonymous
commented
This would also let traffic manager work with client certificates. It doesn't currently.
-
Anonymous
commented
Hi Andrew,
Is there any update on this issue? Are there any workaround to allow Client Certificate only for certain endpoints? The moment we enable clientCert it's unnecessarily prompting certificate for all endpoints which is not acceptable. This is a blocker for us to move to Web App. Any updates would be highly appreciated!
Thanks,
Deva -
Alex
commented
Hi Andrew
Has there been any progress on this request?
Alex
-
Richard Barel
commented
We also have an API with mixed authentication... supporting Client Certificates on some endpoints and basic auth on others. This is working in an AWS VM but need it to work in the Azure App Service Plan too.
-
Alex
commented
Hi Andrew, is there any progress on review, we are still in need of this as a requirement to use azure web apps.
Alex
-
Alex
commented
Hi, Andrew
How is the review for this request going, we have the same use case as Andy where we need client cert authentication to be enabled for parts of the website, it would be good to see feature parity for client cert authentication with IIS.
Alex
-
Andy Atyeo
commented
Another customer here - hoping this can get implemented.
My company also finds the restrictions on Azure client certificate authentication a problem. In some cases this means we cannot implement features we would like to, and in other cases means we cannot use Azure webapps/appservices for our solution
The limitations are:
1. cant enable client cert auth per directory (URL)
2. Azure doesnt support 'Allow Client Certificates' (it is either on or off). IIS supports this 'allow' mode. This means some use-cases where server code has to use client cert auth for some calls but not others is not possible. This could have been another way to work around the previous restriction (which again would have been possible in IIS but not in Azure). -
Alex
commented
Thanks Andrew