client certificate validation on APIM

Question

client certificate validation on APIM

ujjwalDev 46

Hi,

I want to implement client certificate validation in Azure API Management policy to check if the client has a valid certificate.

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

I have Application gateway in front of API Management service deployed in internal.

https://stackoverflow.com/questions/57372611/client-certificate-is-not-being-passed-on-by-azure-application-gateway

I see that the the certificate does not come through to APIM Gateway.

Is this the only possible option to fix this issue. This feature seems to be in a preview now. Any timelines on the release for this feature on v1 application gateways.
https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview

Answer 1

SaiKishor-MSFT 16,646 Microsoft Employee

@ujjwalDev Firstly we apologize for the delay in response to this question.

We do not have plans to implement Mutual Auth for v1 Application Gateway at the moment. Upgrading to v2 seems like the only option to enable client certificate validation at the moment. Hope this helps. Please let us know if you have any further questions/concerns. Thank you!

ujjwalDev 46 Reputation points

2021-07-02T12:51:39.543+00:00

@SaiKishor-MSFT , thanks for your reply.

Will explore the App Gateway V2 with the preview feature. Do you know the timelines for the GA of the Mutual authentication feature on App Gateway v2.

Another question is using Front Door + Api Management. Is there a way to implement mutual TLS using this combination.
This currently seems to be a feature which is not supported yet.

https://feedback.azure.com/forums/217313-networking/suggestions/37546810-frontdooor-tls-mutual-authentication-x-arr-cli
SaiKishor-MSFT 16,646 Reputation points Microsoft Employee

2021-07-15T17:55:33.273+00:00

@ujjwalDev GA for Mutual Auth is targeted for H2CY 2021. Regarding FD+Api Mutual auth, yes FD Mutual auth is not supported yet. Please let ne know if you have any further questions/concerns. Thank you!
Samuel Schnurr 1 Reputation point

2022-09-27T15:01:28.13+00:00

@ujjwalDev @SaiKishor-MSFT

Is there already a solution?

I can't find a solution for our problem:

We got API Management with Application Gateway in front.
Mutual auth should me mandatory only for specific apis (via api policy).

When accessing api management directly mutual auth works.
When accessing api management via application gateway it doesn't work ("400 No required SSL certificate was sent").
It seems the application gateway does not forward the certificates. Activating mutual auth in the application gateways SSLProfile would not work because then ALL Apis would require mutual auth.

Is there a way to solve it?
Samuel Schnurr 1 Reputation point

2022-09-30T07:14:47.24+00:00

Currently I solved it with a separate Listener and Hostname for mutual auth. In combination with an redirect of the original listener and a policy in APIM which checks the OriginalUrl

client certificate validation on APIM

1 answer

Activity