question

MatejKristofik-2033 avatar image
0 Votes"
MatejKristofik-2033 asked MuthuKumaranMurugaachari-MSFT commented

Client Certificate is empty

Hello , I have problem with client certificate. When I put API URL with into browser with installed client certificate everything works fine and I get OK response. Problem is when I call same API URL with my web application hosted on IIS server. Certificate is null and I don't know why. I think problem is on API Management service but idk exactly where.

azure-api-management
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MatejKristofik-2033 Thank you for reaching out to Microsoft Q&A.

I would like to confirm if working scenario via browser test and non-working scenario (calls from the web application) are from same server/machine? If so, have you validated setting "Negotiate client certificate" on Custom domains blade (in azure portal for APIM resource) is turned on for Developer/Basic/Standard or Premium tiers (Setting "Request client certificate" in consumption tier) as per docs: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients?

Can you also please explain how you found certificate was null? Through APIM validate-client-certificate policy or context variables?

1 Vote 1 ·

Hello @MuthuKumaranMurugaachari-MSFT.

I am working with @MatejKristofik-2033 on this problem. The thing is that from postman or from local code call to APIM attach certificate and deliver it to the APIM but as we deploy app on server on IIS it receives the certificate but it looks like it does not send any certificate to APIM, in APIM we got check that if there is some certificate do something but it always says that certificate is null. And this is case just for app deployed on IIS on our server. Local code as I mentioned before works well and APIM receives certificate.

1 Vote 1 ·

@IvanKuka-0410 @MatejKristofik-2033 Based on your comment, the client certificate works fine from POSTMAN or local code to APIM, and I assume "Negotiate client certificate" and "Default SSL binding" is enabled as per docs. This appears to be an issue either with the client environment (Server), or it goes through proxy/firewall before reaching APIM.

You can find similar thread here https://docs.microsoft.com/en-us/answers/questions/306221/azure-api-management-not-getting-client-certificat.html and I would recommend you capture a network trace using tools like Fiddler (sample: https://docs.microsoft.com/en-us/power-query/web-connection-fiddler) or Wireshark to better understand on what is happening on the client side. If you find traffic goes through proxy/firewall, check with your network admin team.

Also, would like to know if you have App Gateway, Front Door in front of APIM or APIM deployed in VNET? If you can share the network path/flow about local/POSTMAN (azure VM or on-premises/external Desktop) vs server (on-premises or azure), that is helpful to understand more context on the issue.

0 Votes 0 ·

@IvanKuka-0410 @MatejKristofik-2033 I would like to follow up on my previous comment and see if it helped. Were you able to capture a network trace and analyze them? If you can share additional information requested, that would help assist you better. Feel free to share your thoughts.

0 Votes 0 ·

0 Answers