Authentication with mTLS - force the browser to ask for a certifacte again after one failed attempt

Klaus Kiiskinen 0 Reputation points
2024-09-13T07:18:09.8633333+00:00

We are using Application Gatway (appgw) with mTLS which requires a valid client certificate. On the users end there is a smartcard with the valid certifacte and a browser (mostly Edge). The user needs to authenticate him/herself with it. We use Keycloak in the backend.

Everything works fine, if the smardcard is inserted and the user selects the certificate when he/she is asked for it.

If the authentication attempt is done without smardcard inserted or by clicking cancel when asked for the certifiate it ends up with error 400 - "Bad request, No required SSL certifacte was sent" which is also ok and correct.

BUT if the user tries again it always ends up with error 400 on the appgw, even a valid smartcard is inserted now - the browser does not ask for the certificate again (appgw log reports ERRORINFO_HTTPS_NO_CERT, keycloak logs do not show anything - appgw blocks).

When the same browser session is used it will always end up with that error. Deleting cache and local data don't help, new tab doesn't help).

If the browser is closed and re-opened and the smartcard is inserted and the user selects it, everything works again fine.

I can repeat that behaviour on Edge, Chrome and Firefox.

Long story short: Is there a way to "force" the browser to ask for the certifcate again on appgw side (some setting I am not aware of)?

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,069 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.