Azure Application Gateway: Client Certificates headers?

Adrien Michaud 21 Reputation points
2021-09-16T08:51:04.377+00:00

Hello,

I've been troubleshooting a really strange issue on my Application Gateway and my Azure Web Application behind.

A month ago, I've set up my application gateway with an web application and all seemed to work well, passing the header I need correctly. But now I have a problem fetching the header "X-ARR-ClientCert" which shall be (and was) present in each request that authenticated successfully. The header is not present in the requests anymore...

The Application Gateway is receiving HTTPS and route it in HTTP to my web app. The listener is configured to use my SSL Profile, as an example of access log I have:

{ "timeStamp": "2021-09-13T13:42:53+00:00", "resourceId": "/SUBSCRIPTIONS/D33C8661-DE39-4265-8526-6C2B32160154/RESOURCEGROUPS/MHS-AG/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/MHS-AG", "listenerName": "gw-dev", "ruleName": "gw-dev", "backendPoolName": "dev", "backendSettingName": "http-dev", "operationName": "ApplicationGatewayAccess", "category": "ApplicationGatewayAccessLog", "properties": {"instanceId":"appgw_0","clientIP":"77.205.111.223","clientPort":57595,"httpMethod":"GET","originalRequestUriWithArgs":"/v1/transactions/?acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","requestUri":"/v1/transactions/","requestQuery":"acq_to_dl=0&implant_mac=99:99:99:99:90:50&timezone=8","userAgent":"Python/3.8 aiohttp/3.7.4.post0","httpStatus":403,"httpVersion":"HTTP/1.1","receivedBytes":1506,"sentBytes":542,"timeTaken":0.915,"transactionId":"ba23f8606b2718e7d132a27e6bf0df2a","sslEnabled":"on","sslCipher":"ECDHE-RSA-AES256-GCM-SHA384","sslProtocol":"TLSv1.2","sslClientVerify":"SUCCESS","sslClientCertificateFingerprint":"d35719cfe802e02b90b3fa2f48d2f96c605f774c","sslClientCertificateIssuerName":"DC=https://bridge-dev.snhtest.online,O=Sentinhealth,L=Grenoble,ST=Is\\C3\\A8re,C=FR","serverRouted":"40.89.141.103:80","serverStatus":"403","serverResponseLatency":"0.916","originalHost":"bridge-dev.snhtest.online","host":"bridge-dev.snhtest.online"}}

So it look likes the validation is successfull, but I do not receive an header with the certificate.

Is there any documentation on the headers created by application gateway on successfull verification ?

Did something changed lastly ?

Thanks for your help !

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
966 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,963 questions
Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,181 Reputation points Microsoft Employee
    2021-09-20T23:59:41.953+00:00

    Hello @Adrien Michaud , apologies about the delayed response here. From the question I understood that your flow is Client --(HTTPS)--> AppGW --(HTTP)--> Web App. . You are using Mutual Authentication and have set your SSL profile to mutually validate client request. Which is successful but the request sent to the Web-App does not consists of "X-ARR-ClientCert" header. Please let me know if my understanding is not correct.

    Based on above understanding. From the documentation I do see that client_certificate server variable is supported. Have you done a request header rewrite with a Custom Header name X-ARR-ClientCert with value {var_client_certificate}? If not can you try and set it up and see if the header is received at the backend?
    If you have already set this header up and still it does not show up at you backend. Can you set the name to X-ARR-anyvalue and see if this helps? As the Mutual Authentication is still in preview some features might not work as expected and it is currently not recommended for production environments.

    Please let me know if there are any additional concerns. I will glad to continue with our discussion. Thank you!

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adrien Michaud 21 Reputation points
    2021-09-21T11:02:37.493+00:00

    Thanks for your answer @ChaitanyaNaykodi-MSFT , I found the problem and fixed it:

    • Your understanding was correct !
    • I was not using rewrite rules with the server variables, so I added one rewrite rule as you said and I have now the certificate in the header (I used mitmproxy to debug) !
    • The second problem was that the web application had the parameter "Client Certificate" on "Ignore". It seems to drops the header "X-ARR-Client-Cert", so I needed to change the header name to "X-Client-Cert".

    I think there was a change a little ago that removed the X-ARR-Client-Cert on application gateway to use only the rewrite headers or something like that since I never used the rewrite rules before.

    Thanks a lot for your help !