You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/app-service/app-service-web-configure-tls-mutual-auth.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,13 +22,13 @@ You can restrict access to your Azure App Service app by enabling different type
22
22
[!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
23
23
24
24
## Enable client certificates
25
-
When you enable client certificate for your app, you should select your choice of client certificate mode. Each mode defines how your app will handle incoming client certificates:
25
+
When you enable client certificate for your app, you should select your choice of client certificate mode. Each mode defines how your app handles incoming client certificates:
26
26
27
27
|Client certificate modes|Description|
28
28
|-|-|
29
29
|Required|All requests require a client certificate.|
30
-
|Optional|Requests may or may not use a client certificate. Clients will be prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
31
-
|Optional Interactive User|Requests may or may not use a client certificate. Clients will not be prompted for a certificate by default. For example, browser clients will not show a prompt to select a certificate for authentication.|
30
+
|Optional|Requests may or may not use a client certificate and clients are prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
31
+
|Optional Interactive User|Requests may or may not use a client certificate and clients are not be prompted for a certificate by default. For example, browser clients won't show a prompt to select a certificate for authentication.|
32
32
33
33
### [Azure portal](#tab/azureportal)
34
34
To set up your app to require client certificates in Azure portal:
@@ -94,7 +94,7 @@ For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`,
94
94
When you enable mutual auth for your application, all paths under the root of your app require a client certificate for access. To remove this requirement for certain paths, define exclusion paths as part of your application configuration.
95
95
96
96
> [!NOTE]
97
-
> Using any client certificate exclusion path will trigger TLS renegotiation for the app.
97
+
> Using any client certificate exclusion path triggers TLS renegotiation for the app.
98
98
99
99
1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
100
100
@@ -109,23 +109,23 @@ In the following screenshot, any path for your app that starts with `/public` do
109
109
![Certificate Exclusion Paths][exclusion-paths]
110
110
111
111
## Client certificate and TLS renegotiation
112
-
App Service requires TLS renegotiation to read a request before knowing whether to prompt for a client certificate. Any of the following settings below will trigger TLS renegotiation:
112
+
App Service requires TLS renegotiation to read a request before knowing whether to prompt for a client certificate. Any of the following settings triggers TLS renegotiation:
113
113
1. Use "Optional Interactive User" client certificate mode.
114
114
1. Use [client certificate exclusion path](#exclude-paths-from-requiring-authentication).
115
115
116
116
> [!NOTE]
117
117
> TLS 1.3 and HTTP 2.0 don't support TLS renegotiation. If you configure your app with these protocols, they won't work with client certificate settings that use TLS renegotiation.
118
118
119
-
To disable TLS renegotiation and to have the app negotiate client certificates during TLS handshake, you must configure your app with *all*the settings below:
119
+
To disable TLS renegotiation and to have the app negotiate client certificates during TLS handshake, you must configure your app with *all*these settings:
120
120
1. Set client certificate mode to "Required" or "Optional"
121
121
2. Remove all client certificate exclusion paths
122
122
123
123
### Uploading large files with TLS renegotiation
124
-
Client certificate configurations that uses TLS renegotiation cannot support incoming requests with large files greater than 100kb due to buffer size limitations. In this scenario, any POST or PUT requests over 100kb will fail with a 403 error. This limit is not configurable and cannot be increased.
124
+
Client certificate configurations that use TLS renegotiation cannot support incoming requests with large files greater than 100 kb due to buffer size limitations. In this scenario, any POST or PUT requests over 100 kb will fail with a 403 error. This limit isn't configurable and can't be increased.
125
125
126
-
Below are the only available alternative solutions to address the 100kb limit:
126
+
These are the only available alternative solutions to address the 100kb limit:
127
127
128
-
1. Update your app's client certificate configuration to meet _all_requirements below:
128
+
1. Update your app's client certificate configuration with _all_these requirements:
129
129
1. Set client certificate mode to either "Required" or "Optional"
130
130
1. Remove all client certificate exclusion paths
131
131
1. Send a HEAD request before the PUT/POST request. The HEAD request will handle the client certificate.
0 commit comments