Disabling certificate-based authentication is security-sensitive

intentionality - complete

security

Security Hotspot

MajorSonarSource default severity
click to learn more

Disabling certificate-based authentication can reduce an organization’s ability to react against attacks on its critical functions and data.

Azure offers various authentication options to access resources: Anonymous connections, Basic authentication, password-based authentication, and certificate-based authentication.

Choosing certificate-based authentication helps bring client/host trust by allowing the host to verify the client and vice versa. It cannot be forged or forwarded by a man-in-the-middle eavesdropper, and the certificate’s private key is never sent over the network so it’s harder to steal than a password.

In case of a security incident, certificates help bring investigators traceability and allow security operations teams to react faster. For example, all compromised certificates could be revoked individually, or an issuing certificate could be revoked which causes all the certificates it issued to become untrusted.

Ask Yourself Whether

This Azure resource is essential for the information system infrastructure.
This Azure resource is essential for mission-critical functions.
Compliance policies require access to this resource to be authenticated with certificates.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Enable certificate-based authentication.

Sensitive Code Example

Where the use of client certificates is controlled by a boolean value, such as:

Microsoft.Web/sites with clientCertEnabled
Microsoft.SignalRService/signalR with tls → clientCertEnabled
Microsoft.SignalRService/webPubSub with tls → clientCertEnabled
Microsoft.ApiManagement/service/gateways/hostnameConfigurations with negotiateClientCertificate

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.SignalRService/webPubSub",
      "apiVersion": "2020-07-01-preview",
      "name": "example",
      "properties": {
        "tls": {
          "clientCertEnabled": false
        }
      }
    }
  ]
}

resource example 'Microsoft.SignalRService/webPubSub@2020-07-01-preview' = {
  name: 'example'
  properties: {
    tls: {
      clientCertEnabled: false // Sensitive
    }
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2015-08-01",
      "name": "example",
      "properties": {
        "clientCertEnabled": false
      }
    }
  ]
}

resource example 'Microsoft.Web/sites@2015-08-01' = {
  name: 'example'
  properties: {
    clientCertEnabled: false // Sensitive
  }
}

Where the use of client certificates can be made optional, such as:

Microsoft.Web/sites with clientCertMode
Microsoft.App/containerApps with configuration → ingress → clientCertificateMode

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2015-08-01",
      "name": "example",
      "properties": {
        "clientCertEnabled": true,
        "clientCertMode": "Optional"
      }
    }
  ]
}

resource example 'Microsoft.Web/sites@2015-08-01' = {
  name: 'example'
  properties: {
    clientCertEnabled: true
    clientCertMode: 'Optional' // Sensitive
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.App/containerApps",
      "apiVersion": "2022-10-01",
      "name": "example",
      "properties": {
        "configuration": {
          "ingress": {
            "clientCertificateMode": "accept"
          }
        }
      }
    }
  ]
}

resource example 'Microsoft.App/containerApps@2022-10-01' = {
  name: 'example'
  properties: {
    configuration: {
      ingress: {
        clientCertificateMode: 'accept' // Sensitive
      }
    }
  }
}

Where client certificates can be used to authenticate outbound requests, such as:

Microsoft.DataFactory/factories/linkedservices with typeProperties → authenticationType where the request type is Web or HttpServer
Microsoft.DataFactory/factories/pipelines with activites → typeProperties → authentication → type where the activity type is WebActivity or WebHook
Microsoft.Scheduler/jobCollections/jobs with action → request → authentication → type
Microsoft.Scheduler/jobCollections/jobs with action → errorAction → request → authentication → type

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.DataFactory/factories/linkedservices",
      "apiVersion": "2018-06-01",
      "name": "factories/example",
      "properties": {
        "type": "Web",
        "typeProperties": {
          "authenticationType": "Basic"
        }
      }
    }
  ]
}

resource example 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
  name: 'example'
  properties: {
    type: 'Web'
    typeProperties: {
      authenticationType: 'Basic' // Sensitive
    }
  }
}

Where a list of permitted client certificates must be provided, such as:

Microsoft.DocumentDB/cassandraClusters with clientCertificates
Microsoft.Network/applicationGateways with trustedClientCertificates
Microsoft.ServiceFabric/clusters with clientCertificateCommonNames or clientCertificateThumbprints

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.DocumentDB/cassandraClusters",
      "apiVersion": "2021-10-15",
      "name": "example",
      "properties": {
        "clientCertificates": []
      }
    }
  ]
}

resource example 'Microsoft.DocumentDB/cassandraClusters@2021-10-15' = {
  name: 'example'
  properties: {
    clientCertificates: [] // Sensitive
  }
}

Where a resouce can use both certificate-based and password-based authentication, such as:

Microsoft.ContainerRegistry/registries/tokens with credentials → certficates and credentials → passwords

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.ContainerRegistry/registries/tokens",
      "apiVersion": "2022-12-01",
      "name": "registries/example",
      "properties": {
        "credentials": {
          "passwords": [
            {
              "name": "password1"
            }
          ]
        }
      }
    }
  ]
}

resource example 'Microsoft.ContainerRegistry/registries/tokens@2022-12-01' = {
  name: 'example'
  properties: {
    credentials: {
      passwords: [ // Sensitive
        {
          name: 'password1'
        }
      ]
    }
  }
}

Compliant Solution

Where the use of client certificates is controlled by a boolean value:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.SignalRService/webPubSub",
      "apiVersion": "2020-07-01-preview",
      "name": "example",
      "properties": {
        "tls": {
          "clientCertEnabled": true
        }
      }
    }
  ]
}

resource example 'Microsoft.SignalRService/webPubSub@2020-07-01-preview' = {
  name: 'example'
  properties: {
    tls: {
      clientCertEnabled: true
    }
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2015-08-01",
      "name": "example",
      "properties": {
        "clientCertEnabled": true,
        "clientCertMode": "Required"
      }
    }
  ]
}

resource example 'Microsoft.Web/sites@2015-08-01' = {
  name: 'example'
  properties: {
    clientCertEnabled: true
    clientCertMode: 'Required'
  }
}

Where the use of client certificates can be made optional:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2015-08-01",
      "name": "example",
      "properties": {
        "clientCertEnabled": true,
        "clientCertMode": "Required"
      }
    }
  ]
}

resource example 'Microsoft.Web/sites@2015-08-01' = {
  name: 'example'
  properties: {
    clientCertEnabled: true
    clientCertMode: 'Required'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.App/containerApps",
      "apiVersion": "2022-10-01",
      "name": "example",
      "properties": {
        "configuration": {
          "ingress": {
            "clientCertificateMode": "require"
          }
        }
      }
    }
  ]
}

resource example 'Microsoft.App/containerApps@2022-10-01' = {
  name: 'example'
  properties: {
    configuration: {
      ingress: {
        clientCertificateMode: 'require'
      }
    }
  }
}

Where client certificates can be used to authenticate outbound requests:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.DataFactory/factories/linkedservices",
      "apiVersion": "2018-06-01",
      "name": "example",
      "properties": {
        "type": "Web",
        "typeProperties": {
          "authenticationType": "ClientCertificate"
        }
      }
    }
  ]
}

resource example 'Microsoft.DataFactory/factories/linkedservices@2018-06-01' = {
  name: 'example'
  properties: {
    type: 'Web'
    typeProperties: {
      authenticationType: 'ClientCertificate'
    }
  }
}

Where a list of permitted client certificates must be provided:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.DocumentDB/cassandraClusters",
      "apiVersion": "2021-10-15",
      "name": "example",
      "properties": {
        "clientCertificates": [
          {
            "pem": "[base64-encoded certificate]"
          }
        ]
      }
    }
  ]
}

resource example 'Microsoft.DocumentDB/cassandraClusters@2021-10-15' = {
  name: 'example'
  properties: {
    clientCertificates: [
      {
        pem: '[base64-encoded certificate]'
      }
    ]
  }
}

Where a resouce can use both certificate-based and password-based authentication:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.ContainerRegistry/registries/tokens",
      "apiVersion": "2022-12-01",
      "name": "example",
      "properties": {
        "credentials": {
          "certificates": [
            {
              "name": "certificate1",
              "encodedPemCertificate": "[base64-encoded certificate]"
            }
          ]
        }
      }
    }
  ]
}

resource example 'Microsoft.ContainerRegistry/registries/tokens@2022-12-01' = {
  name: 'example'
  properties: {
    credentials: {
      certificates: [
        {
          name: 'certificate1'
          encodedPemCertificate: '[base64-encoded certificate]'
        }
      ]
    }
  }
}

See

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted