Azure client certificate authentication, or TLS Mutual Authentication, lets app users sign in by providing a certificate as proof of identity. A trusted party, often the app publisher, gives this certificate. It confirms the user’s identity, offering a stronger security level than just password authentication since no one can forge the certificate.

The presentation and verification of the certificate occur during the SSL handshake. In this process, the browser sends an X.509 certificate as a request header to the server. Naturally, this process should happen over a secure HTTPS connection, not HTTP.

In Azure, it’s straightforward to set up this feature. The App Service includes a feature for ‘TLS mutual authentication’ with a client certificate. Usually found on the user’s local operating system or browser’s key store. All modern browsers can support client certificates. This mechanism is an excellent way to secure an app, especially when high security is necessary.

Client certificates can also be used to secure API endpoints using Azure API Management. See this article for more information.

Pricing Tiers

Azure TLS Mutual Authentication is only available of the Basic, Standard, Premium and Isolated pricing tiers. If your app is on the Free or Shared tiers you will need to upgrade. This is due to the ‘Custom SSL’ feature not being available on these lower tiers.

How Azure TLS Mutual Authentication Works

To enable client certificate authentication, you need to go to the app’s management page. Click on ‘configuration’ and select ‘general settings’ from the link at the top of the page.

..and set the ‘client certificate mode’ to ‘Require’. And that’s it, users of your app must sign-in using a client certificate.

If you need client certificate authentication for specific paths in your application and not for others, define these paths using the ‘Certificate Exclusion Paths’ setting in the general configuration window. For instance, if you don’t want to protect the contents of the /public folder with client certificate authentication, enter /public in this field.

If the app is an ASP.NET application, you can access the client certificate in code using the HttpRequest.ClientCertificate property. The app needs to verify the certificate’s validity by examining this property, such as checking the certificate’s name, expiry date, or issuer. If these initial checks don’t pass, the app should return an HTTP 401 error code (unauthorized response).

In other languages and frameworks, they present the certificate as a base64 encoded value in the header. For instance, in a Node.js app, you would use http_request.get(‘X-ARR-ClientCert’) where http_request is the request object..

Conclusion

Using client certificates to perform TLS mutual authentication is a great way to secure your app where a higher level of security is required. Setting up client certificate authentication in Azure is a relatively trivial task and can offer extra peace of mind if the security and privacy of your application is paramount.