Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing 421 HTTP error with Azure Front Door multitenant setup while using a wild card certificate.
The respective RFC, here mentions that the client "MAY retry the request" , thus not imposing any MUST/SHOULD condition on the client.
I would say this is a limitation on the HTTP implementation rather than the products involved.
Your current scenario,
Customer1, Customer2, Common content, Authentication - *.contoso.com.
Is it possible,
That you create individual certificates for the Common content and Authentication and use your wildcard certificates for the customer sites?
So, you'll be having 3 certificates,
- Customers
- Customer1 - *.contoso.com
- Customer2 - *.contoso.com
- Common content - content.contoso.com
- Authentication - login.contoso.com
While no one can guarantee that a single user would not successively access customerx.constoso.com and customery.contoso.com, I believe majority of the times it will be login.contoso.com ---> content.contoso.com or login.contoso.com ---> customerx.contoso.com , and as such, Domain fronting would not happen.
We can wait for the other community members add their points.
Meanwhile, let me know if you have any queries on this.
Cheers,
Kapil