We welcome user feedback and feature requests!

Enable 'client certificate authentication' per directory

I have a site that only part of it needs to be secured with client certificate authentication, it is able to be enabled on the site level but not the directory level as per this article.

https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth

317 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Alex shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Hi,
    thanks for the feedback. This is not currently possible as client cert auth on App Service is in require mode and as such cannot be delegated to folder level.

    We will review this item and your feedback, we may look to implement this capability based on customer prioritization.

    Thanks

    Andrew

    8 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        This would also let traffic manager work with client certificates. It doesn't currently.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Hi Andrew,

        Is there any update on this issue? Are there any workaround to allow Client Certificate only for certain endpoints? The moment we enable clientCert it's unnecessarily prompting certificate for all endpoints which is not acceptable. This is a blocker for us to move to Web App. Any updates would be highly appreciated!

        Thanks,
        Deva

      • Richard Barel commented  ·   ·  Flag as inappropriate

        We also have an API with mixed authentication... supporting Client Certificates on some endpoints and basic auth on others. This is working in an AWS VM but need it to work in the Azure App Service Plan too.

      • Alex commented  ·   ·  Flag as inappropriate

        Hi Andrew, is there any progress on review, we are still in need of this as a requirement to use azure web apps.

        Alex

      • Alex commented  ·   ·  Flag as inappropriate

        Hi, Andrew

        How is the review for this request going, we have the same use case as Andy where we need client cert authentication to be enabled for parts of the website, it would be good to see feature parity for client cert authentication with IIS.

        Alex

      • Andy Atyeo commented  ·   ·  Flag as inappropriate

        Another customer here - hoping this can get implemented.

        My company also finds the restrictions on Azure client certificate authentication a problem. In some cases this means we cannot implement features we would like to, and in other cases means we cannot use Azure webapps/appservices for our solution

        The limitations are:
        1. cant enable client cert auth per directory (URL)
        2. Azure doesnt support 'Allow Client Certificates' (it is either on or off). IIS supports this 'allow' mode. This means some use-cases where server code has to use client cert auth for some calls but not others is not possible. This could have been another way to work around the previous restriction (which again would have been possible in IIS but not in Azure).

      Feedback and Knowledge Base