Enable 'client certificate authentication' per directory
I have a site that only part of it needs to be secured with client certificate authentication, it is able to be enabled on the site level but not the directory level as per this article.
https://docs.microsoft.com/en-us/azure/app-service-web/app-service-web-configure-tls-mutual-auth

Hello everyone,
Thank you for voting on this item and providing feedback. We have improved the client cert authentication feature to exclude user specified paths from authentication. See the docs below for more information.
Thank you,
Jason
14 comments
-
Alex commented
Hi App Service Product Owner
Can you please advise how the review of this item is going, nothing but radio silence for quite a while on this request...
Alex
-
Anonymous commented
This is pretty common scenario when you have multiple AUTH models - AAD, Token, Client Cert, etc. - please support this standard IIS behavior.
Reference: https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/
-
Alex commented
Hi Andrew
Is there any progress on looking to implement this feature? It shouldn't be too difficult since IIS already allows for this functionality.
Alex
-
Anonymous commented
Any updates on this, we have same requirement
-
John Delisle commented
This could also serve to address App Service with Client Cert Auth incompatibility with Azure Traffic Manager.
-
Alex commented
Hi App Service Team
Is there any updates on this item?
-
Anonymous commented
This would also let traffic manager work with client certificates. It doesn't currently.
-
Anonymous commented
Hi Andrew,
Is there any update on this issue? Are there any workaround to allow Client Certificate only for certain endpoints? The moment we enable clientCert it's unnecessarily prompting certificate for all endpoints which is not acceptable. This is a blocker for us to move to Web App. Any updates would be highly appreciated!
Thanks,
Deva -
Alex commented
Hi Andrew
Has there been any progress on this request?
Alex
-
Richard Barel commented
We also have an API with mixed authentication... supporting Client Certificates on some endpoints and basic auth on others. This is working in an AWS VM but need it to work in the Azure App Service Plan too.
-
Alex commented
Hi Andrew, is there any progress on review, we are still in need of this as a requirement to use azure web apps.
Alex
-
Alex commented
Hi, Andrew
How is the review for this request going, we have the same use case as Andy where we need client cert authentication to be enabled for parts of the website, it would be good to see feature parity for client cert authentication with IIS.
Alex
-
Andy Atyeo commented
Another customer here - hoping this can get implemented.
My company also finds the restrictions on Azure client certificate authentication a problem. In some cases this means we cannot implement features we would like to, and in other cases means we cannot use Azure webapps/appservices for our solution
The limitations are:
1. cant enable client cert auth per directory (URL)
2. Azure doesnt support 'Allow Client Certificates' (it is either on or off). IIS supports this 'allow' mode. This means some use-cases where server code has to use client cert auth for some calls but not others is not possible. This could have been another way to work around the previous restriction (which again would have been possible in IIS but not in Azure). -
Alex commented
Thanks Andrew