Azure Application Gateway Mutual authentication and client_certificate_verification server variable

Question

Azure Application Gateway Mutual authentication and client_certificate_verification server variable

Bartosz Witkowski 1

Hi,

I have mutual TLS enabled, but when client does not send any certificate then I get "400 Bad Request No required SSL certificate was sent" - that's ok. But, is it possible to use client_certificate_verification server variable to pass the request further and not drop it at all?

Basically, what I want to achieve is to have one domain entry like https://abc.example.com with MTLS configured BUT when a client does not introduce certificate then the request is passed with client_certificate_verification=NONE (as MS docs says).

Are there any conditions/rewrites to do that? Or is there another way?

If not, where is the client_certificate_verification used? According to docs: "The result of the client certificate verification: SUCCESS, FAILED:<reason>, or NONE if a certificate was not present." so FAILED and NONE may be used somewhere...

Thanks!

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-30T12:03:05.957+00:00

Hi @Bartosz Witkowski ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to configure mutual authentication as a variable and pass along the request

As per my understanding, I do not think we store any variable as such.

Can you please share docs where you are seeing "The result of the client certificate verification: SUCCESS, FAILED:<reason>, or NONE if a certificate was not present"

Success, Failed and None are present for logging purposes.
So, they should be generated once the request is made and then logged. Not during request processing.

Thanks,
Kapil
Bartosz Witkowski 1 Reputation point

2022-08-31T07:37:58.44+00:00

Hi anonymous user-MSFT ,

Link to documentation: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#mutual-authentication-server-variables

It is a little more complicated then simple mutual authentication. I would like to send request to the backend with configured header (using rewrite) with value taken from var_client_certificate_verification set to NONE when the client hasn't introduce client certificate.
Right now, the request is dropped with "400 Bad Request No required SSL certificate was sent".
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-09-05T11:41:35.86+00:00
Hi @Bartosz Witkowski ,

I checked this internally and it's not feasible.

For Mutual Authentication to succeed, is that the client will present a LEAF certificate which was issued by a root (or an intermediate/root bundle).

We would never get to the point of performing a header rewrite if we were not able to pass a valid leaf cert for the root (or int/root bundle) that is applied to the SSL Profile.

We must get through the MA Auth check first before we would even let the request into the listener.

Once the request got through the listener and to a rule where there was a rewrite rule in place, we could create request headers from the MA parameters.

However, in our case as the request never completes MA, and will never reach a Listener for rewrite to happen.

Please do let me know if you have further questions on the above.

Thanks,
Kapil
Bartosz Witkowski 1 Reputation point

2022-09-06T06:31:49.857+00:00

Thanks anonymous user-MSFT for the answer.
I was afraid that your answer would be like this. It is logical for MA to work like that, but then, the parameters that can be used (like var_client_certificate_verification ) are just useless :-).
Anyway, one more time thanks for the clarification.

Have a great day!
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-09-07T05:03:33.133+00:00

Hi @Bartosz Witkowski ,

I do understand your concern, yes.

Also, you can create a feedback item for this ask, either by using rewrites or directly providing an option to redirect clients with no certificate.
Feedback Hub : https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

It is quite possible that if the ask gets enough traction, our Product Group may consider adding this feature.

Thank you for your contribution in Microsoft QnA
Have a great day ahead!

Cheers,
Kapil

Your answer

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-30T12:03:05.957+00:00

Hi @Bartosz Witkowski ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to configure mutual authentication as a variable and pass along the request

As per my understanding, I do not think we store any variable as such.

Can you please share docs where you are seeing "The result of the client certificate verification: SUCCESS, FAILED:<reason>, or NONE if a certificate was not present"

Success, Failed and None are present for logging purposes.
So, they should be generated once the request is made and then logged. Not during request processing.

Thanks,
Kapil
Bartosz Witkowski 1 Reputation point

2022-08-31T07:37:58.44+00:00

Hi anonymous user-MSFT ,

Link to documentation: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#mutual-authentication-server-variables

It is a little more complicated then simple mutual authentication. I would like to send request to the backend with configured header (using rewrite) with value taken from var_client_certificate_verification set to NONE when the client hasn't introduce client certificate.
Right now, the request is dropped with "400 Bad Request No required SSL certificate was sent".
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-09-05T11:41:35.86+00:00

Hi @Bartosz Witkowski ,

I checked this internally and it's not feasible.

For Mutual Authentication to succeed, is that the client will present a LEAF certificate which was issued by a root (or an intermediate/root bundle).

We would never get to the point of performing a header rewrite if we were not able to pass a valid leaf cert for the root (or int/root bundle) that is applied to the SSL Profile.

We must get through the MA Auth check first before we would even let the request into the listener.

Once the request got through the listener and to a rule where there was a rewrite rule in place, we could create request headers from the MA parameters.

However, in our case as the request never completes MA, and will never reach a Listener for rewrite to happen.

Please do let me know if you have further questions on the above.

Thanks,
Kapil
Bartosz Witkowski 1 Reputation point

2022-09-06T06:31:49.857+00:00

Thanks anonymous user-MSFT for the answer.
I was afraid that your answer would be like this. It is logical for MA to work like that, but then, the parameters that can be used (like var_client_certificate_verification ) are just useless :-).
Anyway, one more time thanks for the clarification.

Have a great day!
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-09-07T05:03:33.133+00:00

Hi @Bartosz Witkowski ,

I do understand your concern, yes.

Also, you can create a feedback item for this ask, either by using rewrites or directly providing an option to redirect clients with no certificate.
Feedback Hub : https://feedback.azure.com/d365community/forum/8ae9bf04-8326-ec11-b6e6-000d3a4f0789

It is quite possible that if the ask gets enough traction, our Product Group may consider adding this feature.

Thank you for your contribution in Microsoft QnA
Have a great day ahead!

Cheers,
Kapil

Share via

Azure Application Gateway Mutual authentication and client_certificate_verification server variable

Your answer