Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,768 questions
Client Certificate is empty
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 90%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Matej Kristofik
1
Reputation point
Hello , I have problem with client certificate. When I put API URL with into browser with installed client certificate everything works fine and I get OK response. Problem is when I call same API URL with my web application hosted on IIS server. Certificate is null and I don't know why. I think problem is on API Management service but idk exactly where.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 10%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
MuthuKumaranMurugaachari-MSFT 22,146 Reputation points2022-08-10T14:43:39.45+00:00 @Matej Kristofik Thank you for reaching out to Microsoft Q&A.
I would like to confirm if working scenario via browser test and non-working scenario (calls from the web application) are from same server/machine? If so, have you validated setting "Negotiate client certificate" on Custom domains blade (in azure portal for APIM resource) is turned on for Developer/Basic/Standard or Premium tiers (Setting "Request client certificate" in consumption tier) as per docs: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients?
Can you also please explain how you found certificate was null? Through APIM validate-client-certificate policy or context variables?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Ivan Kuka 6 Reputation points2022-08-12T08:42:49.82+00:00 Hello @MuthuKumaranMurugaachari-MSFT .
I am working with @Matej Kristofik on this problem. The thing is that from postman or from local code call to APIM attach certificate and deliver it to the APIM but as we deploy app on server on IIS it receives the certificate but it looks like it does not send any certificate to APIM, in APIM we got check that if there is some certificate do something but it always says that certificate is null. And this is case just for app deployed on IIS on our server. Local code as I mentioned before works well and APIM receives certificate.
-
MuthuKumaranMurugaachari-MSFT 22,146 Reputation points
2022-08-12T14:27:49.517+00:00 @Ivan Kuka @Matej Kristofik Based on your comment, the client certificate works fine from POSTMAN or local code to APIM, and I assume "Negotiate client certificate" and "Default SSL binding" is enabled as per docs. This appears to be an issue either with the client environment (Server), or it goes through proxy/firewall before reaching APIM.
You can find similar thread here https://learn.microsoft.com/en-us/answers/questions/306221/azure-api-management-not-getting-client-certificat.html and I would recommend you capture a network trace using tools like Fiddler (sample: https://learn.microsoft.com/en-us/power-query/web-connection-fiddler) or Wireshark to better understand on what is happening on the client side. If you find traffic goes through proxy/firewall, check with your network admin team.
Also, would like to know if you have App Gateway, Front Door in front of APIM or APIM deployed in VNET? If you can share the network path/flow about local/POSTMAN (azure VM or on-premises/external Desktop) vs server (on-premises or azure), that is helpful to understand more context on the issue.
-
MuthuKumaranMurugaachari-MSFT 22,146 Reputation points
2022-08-16T16:41:25.713+00:00 @Ivan Kuka @Matej Kristofik I would like to follow up on my previous comment and see if it helped. Were you able to capture a network trace and analyze them? If you can share additional information requested, that would help assist you better. Feel free to share your thoughts.
Sign in to comment