We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.
I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it's working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y.
But in the Server X if I pass invalid certificate it's throwing 401 Unauthorized but if I pass SYST Client Certificate it's working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response.
I verified both the server configurations everything appears same and I don't see any difference.
I identified this issue by stopping the site alternatively in both the servers.
We are using "iisClientCertificateAuthenticationMapping" and in that we have set the "manyToOneCertificateMappingsEnabled" as False and "oneToOneCertificateMapingsEnabled" as True and for "oneToOneMappings" I have set the userName, password and certificate(base64string).
Can you guys please let me know what are the possible reasons for the X server's incorrect behavior.
INTG SERVERS:
Server XServer Y