Steps on what to do if client certificate mode is greyed out/can't be changed?

[delgadoa1]

Is it possible to write a troubleshooting step on what to do if the client certificate mode is unable to be changed? Is there some RBAC role that is needed on top of having contributor to the subscription/resource level?

I even checked via the CLI, but the setting was set to "Required" which did not match the portal "Ignore"

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: eb440603-950a-c224-f6c9-222ca502d5a5
• Version Independent ID: 0b5c4944-0327-91fc-2b0b-c19a1b873b64
• Content: Configure TLS mutual authentication - Azure App Service
• Content Source: articles/app-service/app-service-web-configure-tls-mutual-auth.md
• Service: app-service
• GitHub Login: @msangapu-msft
• Microsoft Alias: msangapu

[SaibabaBalapur-MSFT]

@delgadoa1 Thanks for your feedback! We will investigate and update as appropriate.

[SnehaAgrawal-MSFT]

@delgadoa1 Thanks for reaching here! To create custom TLS/SSL bindings or enable client certificates for your App Service app, ensure that your App Service plan is in one of the following tiers:

Basic Tier: Offers more features and performance compared to the Free and Shared tiers. Standard Tier: Provides even more capabilities, including auto-scaling, staging slots, and daily backups. Premium Tier: Includes additional features like higher scale-out limits and network isolation. Isolated Tier: Designed for maximum scale and security with dedicated resources and network isolation. For detailed pricing and feature comparison, you can visit the App Service plan pricing details.

Remember, enabling client certificates or custom bindings might require additional configuration steps or permissions, such as specific RBAC roles, especially if you encounter issues with changing the client certificate mode.

see- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on#prerequisites

[SnehaAgrawal-MSFT]

@delgadoa1 We will now proceed to close this thread. If there are further questions regarding this matter, please let us know. We will gladly continue the discussion.

[AlanDevOps]

If anyone has this in the future, you need to change HTTP version from 1.2 to 1.1 and the options will become available. You can change HTTP back to 1.2 after updating the value.

[Ali-haider-PlanstreetInc]

@AlanDevOps Hey Man you rock. I was looking for it and the Microsoft support guy was also confused on that. Switching to 1.1 fixed it.

[JV-conseil]

If anyone has this in the future, you need to change HTTP version from 1.2 to 1.1 and the options will become available. You can change HTTP back to 1.2 after updating the value.

Many thanks @AlanDevOps 🙏