Requirement: Provide mutual authentication and authorization between a client and server app.
We are running a homegrown web service under IIS 7.5 on Windows 2008 Server R2, and accessing it from a homegrown .NET Windows Service on another machine. We have both client and server certificates that were issued from a CA that is identified in the Trusted Root Certification Authorities on both machines. These certificates are installed in the "machine" certificate stores on both machines.
When the site where the web service runs in IIS is configured to Use SSL but Ignore Client Certs, and the client app is configured to use a security Mode of "None", everything works fine. However, when IIS is configured either to Accept or Require Client Certs, and the client app is configured to use Transport/Certificate security, the server is giving us a 403.16 error.
Two questions, if I may.
1. Why are we getting this authentication failure?
2. Are we even using the proper approach here to authorize clients to access this service? We don't want just anyone who can hit the web service to be able to use it - we want to lock this web service down so that only this client service can communicate with it.
Disclaimer: I am a total n00b when it comes to setting up SSL and such in IIS.
BK