I need to provide a level of authentication to protect a currently unsecured asmx service that should only be consumed by code running on a couple of other specific servers. Using Windows 2012, is it possible to restrict access to an IIS site (or application) to a particular list of client certificates?
I know you can set up mappings from certs to Windows users, but I am not able to modify the (asmx) web service code (which has no built-in authentication/restrictions). Is it possible to configure IIS so thatonly the certs in the mapping list will be accepted (even though we won't actually do anything with the windows identity they're mapped to)?
Any insight is appreciated!