Incoming Client certificate in Azure App Service?

When we enable client certificate on Azure web site, this is the window that pops up in the browser when user try to connect to app;

When user click on Certificate information, he get following window;

Where is this certificate? How did I got this? Our environment is not AD joined. The certificate seems to be issued by AD domain server “MS-Organization-Access”.

The problem started when one of my developer asked me that he is not able to connect to App. The browser doesn’t show any certificate and he keep getting this error;

Error 403: Forbidden: Client Certificate Required

Apple clients are getting the same error.

We are not using any code to manipulate or validate certificates. It’s merely a setting thing in Azure.

Eventually, switch the mode of incoming client certificates to Allow so that my team can connect to Apps in Azure.

What are the differences between “Allow” and “Require” for Client certificate modes in App Service general settings?

All paths should not require client certificate, just /secure one require client certificate

• Ignore: This setting does not accept client certificates if presented.
• Accept: Select this setting if you want to accept client certificates (if it’s presented) but will also continue with connections where the client doesn’t present one.
• Require: Select this option to require that certificates verify client identity.

For the exclusion path the document does mention -‘To allow certain paths to remain open for anonymous access. If we add /public to the path, anything under /public path for the application would not request a client certificate.

Compliance

There are 6 standards that are applicable to this policy:

  • APRA (CPS 234) Information Security
  • Multi-Level Protection Scheme (MLPS) v2.0
  • NIST 800-53 Rev 5
  • NIST 800-53 Rev4
  • CIS v1.1 (Azure)
  • CIS v1.2.0 (Azure)