Access Denied error on mutual authentication in Application Gwateway v2 and Azure App Service

Mohsen Akhavan 936 Reputation points
2022-11-09T20:04:16.427+00:00

Ref1: https://www.starwindsoftware.com/blog/mutual-tls-mtls-or-client-certificate-authentication-with-an-azure-application-gateway-and-an-app-service-application

ref2: https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-powershell

I've implemented mutual (certificate) authentication and I hosted my app on the Azure App service. When I open directly my app URL https://apptemp.azurewebsites.net/swagger/index.html and then select client certificate, the app works well and I see my app page.
258871-image.png

Now, I've added an Azure Application Gateway V2 ( without WAF) with the below configuration.

  1. I configure this item on my web app
    258797-screenshot-2022-11-09-at-220604.png
  2. I added a backend pool to my web app
    258881-image.png
  3. I configure the backend HTTP setting
    258825-image.png
  4. Create an SSL profile with a Public certificate that is exported from the root certificate. The root certificate was uploaded to the server.
    258891-image.png
  5. I added a listener
    258798-image.png
  6. In the health probe with the below config.
    258872-image.png

for the resulting test, I received this error 

Received invalid status code: 403 in the backend server’s HTTP response. As per the health probe configuration, 200-399 is the acceptable status code. Either modify probe configuration or resolve backend issues.

And also I received the 502 bad gateway when I open the test.mydomain.com URL.
258826-image.png

  1. I changed HTTP response status code match to 200-403 and then I received Healthy status.
    258837-image.png

But when I open the test.mydomain.com URL I received the below error.
258883-image.png

Really I am confused that what is the problem :(

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
957 questions
Azure Web Application Firewall
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,875 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
762 questions
0 comments
Accepted answer
  1. ChaitanyaNaykodi-MSFT 22,776 Reputation points Microsoft Employee
    2022-11-10T02:29:17.87+00:00

    @Mohsen Akhavan ,

    Welcome to the Microsoft Q&A forum. Based on the documentation here
    Can you please confirm that there is a root CA certificate in the client certificate that you have uploaded? If you've uploaded a certificate chain with root CA and intermediate CA certificates, the certificate chain must be uploaded as a PEM or CER file to the gateway.
    From the screenshots above I can see that you have enabled Verify client certificate DN based on the scenario's mentioned here can you please confirm if the issue not due DN verification.
    You can also follow this troubleshooting document for additional help. Thank you!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest