I know there are lots of questions/answers already posted around APIM client cert validation, I checked all recommended configurations/settings but it's not working for me.
Issue I have an API with a policy to validate client certificates, it works when I make a call to the API endpoint with the default APIM domain, but doesn't work if I call the same endpoint with a custom domain, I get an error "Client Certificate is Missing". By looking at the trace looks like APIM is not receiving the certificate.
{
"source": "client-certificate-handler",
"timestamp": "2023-11-17T22:52:18.1716282Z",
"elapsed": "00:00:00.0346916",
"data": "Requesting client certificate because next handler requires access to it."
},
{
"source": "client-certificate-handler",
"timestamp": "2023-11-17T22:52:18.1906512Z",
"elapsed": "00:00:00.0562917",
"data": "No client certificate received."
}
What I have already tried
- Negotiate Client Certificate setting is enabled on the Custom Domain.
- certificate to validate exists in the APIM certificate store.
- At the network level, nowhere there is a setting that drops or disallows the client certificate for a custom domain.
Using Postman
Posting answers, so that it might be helpful for others.
There was no issue with Azure APIM it was configured as expected. The issue was with the F5 load balancer. Any requests to APIM are routed via F5, though there was no explicit setting or rule was there to drop the certificate, F5 by default drops the client certificate.
So, if you see a similar issue, make sure at all network hops before APIM, the client certificate doesn't get dropped.