Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
176 questions
How to configure TLS mutual authentication for Azure Container App?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 93%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Jakub Pernica
170
Reputation points
Hello,
so I've implemented TLS mutual authentication working with my Azure App Service. I have a very simple ASP.NET Core project that's implemented according to this example from documentation. I also added additional validation of thumbprint and everything seems to work as intended when deployed to Azure App Service.
However, if I deploy the exact same code to Azure Container App, it seems like no requests come through (I don't get to any of my Console.WriteLines). For my Container App, I've configured that client certificates are required in the Ingress settings. Seems like App Service has some functionality that Container App doesn't. I'm curious if I need to implement or configure it differently for ACA.
My full code of Program.cs file: https://gist.github.com/kubop/102bdbc77515901ce5390b0884c66446
Appreciate any help.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 10%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
MuthuKumaranMurugaachari-MSFT 18,341 Reputation points2023-11-06T17:26:24.36+00:00 Jakub Pernica Thanks for posting your question in Microsoft Q&A. In Azure App Service, client certificate info is passed via
X-ARR-ClientCertheader. However, in Container apps, the header name isX-Forwarded-Client-Certand details about the header are described in HTTP headers doc. (see similar discussion)Make sure that you configure client certificate authorization in your container apps and the certificates are in PKCS12 format (issued by CA or self-signed).
I hope this helps with your question and let me know if any questions.
-
Jakub Pernica 170 Reputation points
2023-11-07T07:55:04.5+00:00 MuthuKumaranMurugaachari-MSFT Thanks for you input. What I'm trying to achieve is to configure an API Connector in my Azure AD B2C using certificate authentication:
I have generated a self-signed certificate as PKCS 12 in my Key Vault and uploaded it here. I configured my Azure Container App Ingress to Require certificates, however, when running some Azure AD B2C user flows using the API Connector, it seems like the request doesn't even reach my container app for some reason.
When I switch back to "Ignore" client certificates, the user flow works fine.
-
MuthuKumaranMurugaachari-MSFT 18,341 Reputation points
2023-11-08T19:29:02.9966667+00:00 Jakub Pernica Thanks for sharing the additional details. Quickly checking, I see
clientCertificateModeis set as require for ingress. It seems like you have configured API connector as described in Configure your API Connector doc to send client certificate info to Container Apps.This would require deeper investigation in the backend logs to find the cause and our support team can help with that. Do you have a support plan with us?
Sign in to comment