Step 4: Plan to Publish Applications using Client Certificate Preauthentication

This topic describes the preauthentication flow when using client certificate preauthentication and the planning tasks for publishing applications through Web Application Proxy using client certificate preauthentication.

Client certificate preauthentication is used in scenarios where a small group of external servers connect to an on-premises server through Web Application Proxy. Client certificate preauthentication should not be used for client devices connecting to published applications.

The general client certificate preauthentication flow is as follows:

  1. An external server makes a request to the published resource URL.

    The resource URL is a public address on which Web Application Proxy listens for new HTTPS requests.

  2. Web Application Proxy authenticates the external server using the certificate thumbprint of a certificate configured on the external server.

  3. After the external server is authenticated, Web Application Proxy forwards the HTTPS request to the corporate network to the published web application using either HTTP or HTTPS.

  4. The published web application responds to the request from the external server.


Web Application Proxy does not support wildcard domain publishing. That is, you cannot configure an external URL using a wildcard; for example, https://*

Task Description

4.1. Plan the External Servers

Decide which certificate will be used by the external servers for client certificate authentication.

4.2. Plan Applications for Client Certificate Preauthentication

Plan any prerequisites that are required before you can publish an application that uses client certificate preauthentication.

4.1. Plan the External Servers

To use client certificate preauthentication, the external servers must have a certificate issued by a public certification authority (CA). For information about requesting and configuring this certificate, see the documentation for your server. All of the external servers that you use to connect to the published web application must have the same certificate.

The certificate can be issued by any trusted certification authority, and you must be able to obtain the certificate thumbprint.

4.2. Plan Applications for Client Certificate Preauthentication

To publish an application using client certificate preauthentication, you do not require a relying party trust for the application.


Applications that use client certificate preauthentication cannot leverage the additional features that AD FS provides; such as, Workplace Join, multifactor authentication (MFA), and multifactor access control.

See also