iCompaas Support

Profile Applicability:

• Level 2

Description:

This check ensures that the web app hosted in Azure App Service is configured to require incoming client certificates for authentication. Enabling client certificates provides a secure way to authenticate clients by verifying that only those with valid certificates can access the web app.

Rationale:

Enabling client certificates ensures that only authenticated clients with valid certificates can connect to the web application. This method uses mutual TLS (mTLS), providing a high level of security by verifying both the server and client. It is essential for environments that require strict access control, such as financial services or government applications.

Impact:

Pros:

• Provides an additional layer of security by requiring certificates from clients for authentication.
  

• Helps ensure that only authorized clients can access the web application.
  

• Reduces the risk of unauthorized access or man-in-the-middle attacks.
  

Cons:

• Requires additional management for issuing, distributing, and renewing client certificates.
  

• May affect non-authenticated users if the certificates are not properly managed or if users do not have valid certificates.
  

• Can introduce complexity in the application workflow if client certificates are not handled correctly.
  

Default Value:

By default, incoming client certificates are disabled in Azure App Service. This setting must be manually configured.

Pre-requisites:

Ensure that client certificates are issued and trusted by your organization. Additionally, configure the app to properly handle and validate the client certificates.

Test Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to the App Services blade.
   

3. Select the app you want to review.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, click on Incoming client certificates.
   

6. Ensure that the Client Certificate Mode is set to Require (indicating that incoming client certificates are enabled).
   

Using Azure CLI:

To check the incoming client certificates status for an existing app, run the following command:

az webapp show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query clientCertEnabled

1. The output should return true if incoming client certificates are enabled.
   

Implementation Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to enable client certificate authentication.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, click on Incoming client certificates.
   

6. Set Client Certificate Mode to Require.
   

7. Click Save to apply the changes.
   

Using Azure CLI:

To enable incoming client certificates, run the following command:

az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --client-cert-enabled true

Backout Plan:

Using Azure Console:

1. Log in to the Azure portal at https://portal.azure.com.
   

2. Go to App Services.
   

3. Select the app for which you want to disable client certificate authentication.
   

4. Under the Settings section, click on Configuration.
   

5. In the General Settings section, click on Incoming client certificates.
   

6. Set Client Certificate Mode to Off.
   

7. Click Save to apply the changes.
   

Using Azure CLI:

To disable incoming client certificates, run the following command:

az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --client-cert-enabled false

References:

• Azure App Service: Configuring Client Certificates
  

• Microsoft Security Benchmark: Authentication and Access Control