0

We have implemented Mutual Client Certificate Authentication between Azure front end web app and Azure APIM. We have created self signed client certificate mapped to a custom domain from where APIM Proxy API is getting called. Additionally, we have uploaded same certificate at APIM and added Thumbprint Authentication policy. Certificate has been uploaded at Azure front end web app under TLS/SSL Settings tab by adding TLS/SSL bindings and ClientCertificateEnabled is marked as true.

We are expecting that the certificate will be forwarded to APIM from Azure front end web app, as a header X-ARR-ClientCert and its value as thumbprint of certificate. To validate this, we are capturing the header when request comes to APIM and forwarding the same to output so we can confirm, by writing below line:

<set-variable name="X-ARR-ClientCert" value="@(context.Request.Headers.GetValueOrDefault("X-ARR-ClientCert", "No Certificate Received"))" />

But all the time, we are getting value as "No Certificate received".

Is this approach working as per our expectations or not? OR How do we validate this?

Note : Currently APIM is pointing to developer tier. Do we have to scale it up to basic?

James Z
  • 12,209
  • 10
  • 24
  • 44
vinay
  • 11
  • 7
  • This must be a problem with Azure front end web App, not APIM. APIM has no special handling of most headers and not in this scenario for sure. It simply does not receive header with certificate thumbprint. That must mean that web app does not forward it. Could you describe a bit clearer what policies you setup in APIM and how exactly traffic flows in your scenario, please. – Vitaliy Kurokhtin Jan 04 '20 at 21:06
  • @VitaliyKurokhtin: 1.We have created self signed certificate for Azure front end web application and same has been uploaded at APIM. 2.Then we are opening our custom domain URL mapped to Azure front end web app and then calling APIM proxy on button click. 3.Now, as per the documentation, Azure front end web app should send the certificate thumb print with the header "X-ARR-ClientCert" and APIM should validate the same using below policy applied: – vinay Jan 06 '20 at 04:33
  • 4.In addition to validate this, we are capturing this header in a variable at APIM, as mentioned above already. 5.We checked using Azure function, but still mentioned header is missing from Azure frint end web app request. – vinay Jan 06 '20 at 04:34
  • Where exactly did you upload certificate in APIM, there are several places. Do you actually send client certificate when you make a call to APIM? – Vitaliy Kurokhtin Jan 06 '20 at 08:48
  • @VitaliyKurokhtin : We have uploaded the certificate at Certificates option available at APIM. Same certificate has been uploaded at TLS/SSL settings ->Private Key Certificates option available in Azure Web app and enabled ClientCertificate as true. So as per the below link after enabling the option as ClientCertificate as true, Azure web app should send the uploaded certificate's fingerprint as a header "X-ARR-ClientCert". [link](https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth) – vinay Jan 06 '20 at 11:38
  • Bur unfortunately our front end web app is not sending this header and so APIM is not able to validate the same. – vinay Jan 06 '20 at 11:38
  • Web app will only send this header if client is making request to web app does so with client certificate. Does your client do that? – Vitaliy Kurokhtin Jan 06 '20 at 16:16
  • Could you also describe who is making request to APIM? It's call us made from browser, or from web apps server side code? – Vitaliy Kurokhtin Jan 06 '20 at 16:18
  • @VitaliyKurokhtin : We are having both scenarios, from browser and another from server side. Right now we are trying from Browser, for which we have raised the query. For Server side yet to be work upon, but i guess it will work for server side. Can you please suggest how can we achieve this for browser approach for client side rendering web apps, for example angular, react etc. – vinay Jan 07 '20 at 03:34
  • @VitaliyKurokhtin: Any input from your end? – vinay Jan 08 '20 at 04:14
  • @VitaliyKurokhtin : Any suggestion from your end as For Mobile applications this scenarios is working fine as well as Server Side Coding also. We have created samples and tested also, they are working fine. Now remaining is Browser Side Coding. – vinay Jan 13 '20 at 03:23
  • You should see X-ARR-ClientCert header present ONLY in your web app server side code. It will not be present in request to APIM unless you manually add it. If you're using client auth with APIM you do not need to worry about any headers - just check context.Request.Certificate, like in this section: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients#checking-the-thumbprint – Vitaliy Kurokhtin Jan 13 '20 at 19:31
  • Okay thanks for your reply and guidance @VitaliyKurokhtin :-) – vinay Jan 15 '20 at 09:00

0 Answers0