0

I have an azure APIM with a custom domain and multiple APIs like shown in the screen shot below:-

enter image description here

Each of these APIs have several endpoints underneath them and all of them have the same host name. There is a Negotiate Client Certificate setting on the custom domain level, I only want to turn that setting on for one of these APIs and not for the other 3. Is that possible?

Fakhar Ahmad Rasul
  • 1,595
  • 1
  • 19
  • 37

2 Answers2

1

That is not possible, if it is enabled on the custom domain, all the connections through that custom domains will initiate a client certificate request.

It does not hurt if it is enabled for all the Apis, if the client ignores the certificate request, the call will not fail unless your api has a logic to validate the certificate and because of that, only have your certificate validation logic only at the Api level.

see this for more details Multiple APIs within Azure APIM with different authentication requirements

Mo Haidar
  • 3,748
  • 6
  • 37
  • 76
  • I know it does not hurt, but the issue I am facing is that many of our application's users have more than one certificate installed on their machines. And because of the additional certificates, when they access our application, they see a popup to select a certificate on the browser and we would like to not have that popup shown to the user. – Fakhar Ahmad Rasul Apr 04 '23 at 16:01
  • You may create multiple custom domains and for those Apis that do not require certificate negotiation, just access them through the domain does not enable negotiate client certificate. You will continue to be able to access all the apis through any of the custom domains, but this unfortunately this is the only workaround from apim perspective – Mo Haidar Apr 04 '23 at 19:04
  • Other more complex solutions would be hiding your service behind application gateway which I think it offers client cert authentication per listener but you need to verify if this works for you – Mo Haidar Apr 04 '23 at 19:25
0

It depends on the APIM SKU. If your APIM is on Consumption tier, you can only enable/disable client certificate negotiation at the custom domain level. If your APIM is on Developer, Basic, Standard, or Premium tier then you can control this setting at endpoint level.

Reference is here

Florence Daniel
  • 58
  • 3