We're building a ASP.NET Web API application that will only have a single "user", an external service. Our client requested that above SSL and IP filtering (which are outside the scope of the application), a client certificate should also be used for security.
We built other apps for this client, and they usually want a way to "visually" ping the service endpoint. In the past we did this with a simple html file, or an url that will respond with HTTP 200. I'm sure we'll be asked if we can do it again for this app. It's a yes or no question, but if we say no, we have to give the reason.
Client certificates make this a bit harder I imagine, so is there a way to set up a "ping" url without authentication in web.config like /api/ping? Is the <location> attribute has any affect on this? Or does authentication already happen before those settings get evaluated?