Access Denied error on mutual authentication in Application Gateway v2 and Azure App Service

Question

Ref1: enter link description here

Ref2: enter link description here

I've implemented mutual (certificate) authentication and I hosted my app on the Azure App service. When I open directly my app URL https://apptemp.azurewebsites.net/swagger/index.html and then select client certificate, the app works well and I see my app page.

Now, I've added an Azure Application Gateway V2 ( without WAF) with the below configuration.

1. I configure this item on my web app

2. I configure the backend HTTP setting

3. Create an SSL profile with a Public certificate that is exported from the root certificate. The root certificate was uploaded to the server.

4. I added a listener

5. In the health probe with the below config.

for the resulting test, I received this error:

Received invalid status code: 403 in the backend server’s HTTP response. As per the health probe configuration, 200-399 is the acceptable status code. Either modify probe configuration or resolve backend issues.

And also I received the 502 bad gateway when I open the test.mydomain.com URL.

6. I changed HTTP response status code match to 200-403 and then I received Healthy status.

But when I open the test.mydomain.com URL I received the below error.

Really I am confused that what is the problem :(

Answer 1

I tried to reproduce the same in my environment and got the results successfully.

I created app service with host https://staxxx.azurewebsites.net/imran/index.html as same.

Added backend pool:

I have created two backend setting with http port 80 and https port 443 like below ...custom probes automatically added when you are creating probes.

And try to update SSL profile with client authentication and ssl policy like below.

While creating application gateway I created listener 1 with HPPT 80 and now I added listener 2 with port 443 along with sample host name.

While creating app gateway I created rule 1 with listener 1 with path base and then I create another rule with listener 2 with same backend target and setting like below.

Now I added rule 2 with listener 2 with same backend target and setting... So, my ssl certificate will be integrate to listener 2 and listener to http and it will establish a connection to the backend targets.

Added healthy probes

Now, when I try to redirect it's work successfully like below

https://your domain/azurewebsites.net/imran/index.html

Answer 2

It looks like you are attempting to perform mTLS through the App Gateway to your backend App Service. Understand that there are two TLS connections being performed here, one between the client and the App Gateway, and one between the App Gateway and your App Service. No setting in App Gateway's configuration for SSL or certificates will affect both of these connections; they only affect the listener side or the backend side.

The App Gateway is not capable of performing mTLS as a client to a backend service. The only mTLS related function with App Gateway is for clients to connect it using a trusted client certificate and this does not affect the TLS sessions on the backend.

There is a workaround to get this to work with headers, but I would first consider if it's acceptable to just do mTLS on your App Gateway's frontend and have a regular TLS session being done on the backend to the App Service. If so, you can see how to configure this here: https://learn.microsoft.com/en-us/azure/application-gateway/mutual-authentication-overview

If you want something close to End-to-End mTLS, the best way to accomplish this is using header rewrite as the PEM data from a client certificate can be obtained with the "var_client_certificate" variable. You can place this data in a header for your server to read. The downside is your backend server's code will need rewriting to authenticate using the header data against the issuing authority instead of during the TLS handshake. For header rewrites reference this document here: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-portal