Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,076 questions
Authentication with mTLS - force the browser to ask for a certifacte again after one failed attempt
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 41%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Klaus Kiiskinen
0
Reputation points
We are using Application Gatway (appgw) with mTLS which requires a valid client certificate. On the users end there is a smartcard with the valid certifacte and a browser (mostly Edge). The user needs to authenticate him/herself with it. We use Keycloak in the backend.
Everything works fine, if the smardcard is inserted and the user selects the certificate when he/she is asked for it.
If the authentication attempt is done without smardcard inserted or by clicking cancel when asked for the certifiate it ends up with error 400 - "Bad request, No required SSL certifacte was sent" which is also ok and correct.
BUT if the user tries again it always ends up with error 400 on the appgw, even a valid smartcard is inserted now - the browser does not ask for the certificate again (appgw log reports ERRORINFO_HTTPS_NO_CERT, keycloak logs do not show anything - appgw blocks).
When the same browser session is used it will always end up with that error. Deleting cache and local data don't help, new tab doesn't help).
If the browser is closed and re-opened and the smartcard is inserted and the user selects it, everything works again fine.
I can repeat that behaviour on Edge, Chrome and Firefox.
Long story short: Is there a way to "force" the browser to ask for the certifcate again on appgw side (some setting I am not aware of)?
{count} votes
-
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee2024-09-16T07:57:23.0233333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that users are unable to perform a mTLS Authentication after a single failed attempt even with the correct certificate unless the browser is re-opened.
This should not be the case.
- Ideally, deleting cache and local data should help with this
- I see the issue is reproducible with non-chromium based browser as well (Firefox)
To troubleshoot further, we will need a specialized 1:1 session, where a support engineer can check the backend logs to pinpoint the issue.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
P.S : We will be able to provide you one-time support if and only if your subscription is not managed by a CSP
Thanks,
Kapil
-
Klaus Kiiskinen 0 Reputation points
2024-09-23T13:26:58.5333333+00:00 Hello Kapil,
thanks a lot for the reply - I will file a ticket.
Regards,
Klaus
Sign in to comment
Sign in to answer