Client Certificate HTTP Header not populating

Question

Client Certificate HTTP Header not populating

Ryan Parino 0

I have an azure app service which I've configured to set "Client Certificate Mode" to "Require" in General Settings. I am trying to access the client certificate upon successful connection.

Per the docs, it says that

In App Service, TLS termination of the request happens at the frontend load balancer. When forwarding the request to your app code with client certificates enabled, App Service injects an X-ARR-ClientCert request header with the client certificate. App Service does not do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate. For ASP.NET, the client certificate is available through the HttpRequest.ClientCertificate property. For other application stacks (Node.js, PHP, etc.), the client cert is available in your app through a base64 encoded value in the X-ARR-ClientCert request header.

I am not seeing any header by the name of X-ARR-ClientCert at all, let alone the CA, CN, or DN.

I have set up a minimal example environment, brand new app service with no changes, and seeing not headers - either in response or request, that include the client certificate in header under the name X-ARR-ClientCert. I have a valid client certificate installed, which is allowing me in - I just have no access to the client certificate, as the docs state I should..

Images below to show what I'm seeing:

Screen Shot 2023-05-23 at 8.07.04 PM

Screen Shot 2023-05-23 at 8.10.56 PM

ajkuma 28,111 Reputation points Microsoft Employee Moderator

2023-05-24T16:38:59.08+00:00

@Ryan Parino ,

I understand from your issue description, you are not seeing the X-ARR-ClientCert and you have reviewed the network trace. And, you have referred to the doc steps from this.

When accessing the site, I’m seeing this-

Just to highlight:

Typically if you don’t see the header in your requests, it is possible that the header is being stripped out by a firewall or other network device between your client and the Azure App Service.

You may always leverage App Service diagnostics from Azure Portal> Navigate to your App Service app in the Azure Portal. (screenshot below)

In the left navigation, click on **Diagnose and solve problems** - Review – “SSL and Domains" options

Kindly let us know, I'll follow-up with you further.
Ryan Parino 0 Reputation points

2023-05-25T21:09:47.53+00:00

@ajkuma,

As you can see from my example - I have used the barebones azure app service architecture, with no added layers, firewalls, network devices, or proxies whatsoever. Is there a reason that what's written clearly in the documentation would be getting stripped with the baselines architecture that it describes?
ajkuma 28,111 Reputation points Microsoft Employee Moderator

2023-05-31T12:44:28.8633333+00:00

Ryan, Just checking in to see if you had got a chance to see the previous response. Kindly let us know, we will be more than happy to assist you.

1 answer

Your answer

ajkuma 28,111 Reputation points Microsoft Employee Moderator

2023-05-24T16:38:59.08+00:00

@Ryan Parino ,

I understand from your issue description, you are not seeing the X-ARR-ClientCert and you have reviewed the network trace. And, you have referred to the doc steps from this.

When accessing the site, I’m seeing this-

Just to highlight:

Typically if you don’t see the header in your requests, it is possible that the header is being stripped out by a firewall or other network device between your client and the Azure App Service.

You may always leverage App Service diagnostics from Azure Portal> Navigate to your App Service app in the Azure Portal. (screenshot below)

In the left navigation, click on **Diagnose and solve problems** - Review – “SSL and Domains" options

Kindly let us know, I'll follow-up with you further.
Ryan Parino 0 Reputation points

2023-05-25T21:09:47.53+00:00

@ajkuma,

As you can see from my example - I have used the barebones azure app service architecture, with no added layers, firewalls, network devices, or proxies whatsoever. Is there a reason that what's written clearly in the documentation would be getting stripped with the baselines architecture that it describes?
ajkuma 28,111 Reputation points Microsoft Employee Moderator

2023-05-31T12:44:28.8633333+00:00

Ryan, Just checking in to see if you had got a chance to see the previous response. Kindly let us know, we will be more than happy to assist you.

Answer 1

ajkuma 28,111 Microsoft Employee Moderator

Apologies for the delay from over the weekend and any confusion from my earlier post.

As the header is injected in between the frontend and worker, so the client (/from browser) will not see the header.
As you notice the WebApp is prompting for the certificate as expected, so your config is fine.
User's image

You may take a look at this article (it’s old, but concepts still appliable) on validating the certificate.

Share via

Client Certificate HTTP Header not populating

1 answer

Your answer