Publish Applications using Client Certificate Preauthentication


This content is relevant for the on-premises version of Web Application Proxy. To enable secure access to on-premises applications over the cloud, see the Azure AD Application Proxy content.

This topic describes how to publish applications through Web Application Proxy using client certificate preauthentication. Before beginning the deployment steps, ensure that you have completed the planning steps described in Plan to Publish Applications using Client Certificate Preauthentication [WAP].


When configuring the external URL and the backend server URL, you must enter a URL. You cannot enter an IP address.

Client certificate preauthentication is used in scenarios where a small group of external servers connect to an on-premises server through Web Application Proxy. Client certificate preauthentication should not be used for client devices connecting to published applications.

The general client certificate preauthentication flow is as follows:

  1. An external server makes a request to the published resource URL.

    The resource URL is a public address on which Web Application Proxy listens for new HTTPS requests.

  2. Web Application Proxy authenticates the external server using the certificate thumbprint of a certificate configured on the external server.

  3. After the external server is authenticated, Web Application Proxy forwards the HTTPS request to the corporate network to the published web application using either HTTP or HTTPS.

  4. The published web application responds to the request from the external server.


This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see Using Cmdlets.

Publish an Application using Client Certificate Preauthentication

This procedure describes how to publish an application using client certificate authentication. This type of application can be published only using Windows PowerShell. Before you begin, make sure that you have done the following:

  • Import the website certificate from the backend server, or verify that a certificate on the Web Application Proxy server is suitable for the application you want to publish.

  • Import the certificate from the external server.

Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

To publish the application:

    -BackendServerURL ''
    -ExternalCertificateThumbprint '1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b'
    -ExternalURL ''
    -Name 'Client certificate preauthentication application'
    -ExternalPreAuthentication ClientCertificate
    -ClientCertificatePreauthenticationThumbprint '123456abcdef123456abcdef123456abcdef12ab'

See also