We are developing a webservice which will respond to requests from a third-party server. We have a (wildcard) SSL certificate installed. Now the other party wants a 2-way SSL authentication between their servers and ours. We've tried to find information about how to configure this exactly, but it's hard to find comprehensive documentation about that.
Since our SSL certificate is Class 2 and can be used for server as well as client authentication, we understood that 2-way authentication basically should work by default.
I've set the SSL Settings of the webservice site to 'Require SSL' and 'Require client certificates'. With the Configuration Editor (system.webServer/security/authentication/iisClientCertificateMappingAuthentication) I've set enabled to true, manyToOneCertificateMappingsEnabled to true and added a mapping to our certificate under manyToOneMappings.
To test this, I've imported the server certificate (personal store) with IE. Now, when I try to access the webservice (...service.asmx?WSDL), IE presents a dialog to confirm the certificate. After clicking OK, the WSDL schema is shown. Everything fine and the certificate seems to work for client authentication. However, if I change the manyToOneMappings certificate settings to some nonsense (so the certificate doesn't match anymore and access should be denied), the certificate is still accepted and I still can access the scheme.
I have some questions, hope someone here can answer.
- Where are the iisClientCertificateMappingAuthentication settings for a website stored? I'd expected in the web.config, but I can't find nothing in there.
- There seems to be a native iisClientCertificateMappingAuthentication and a role service with the same name (which is not installed). What is the difference and do we need to install the role service?
- Is it always necessary to add a user name / password to the manyToOneMapping? Or can we leave it blank for anonymous access?
- It look like the rules under manyToOneMappings are not evaluated. Found some references about the same problem on the internet, but no solutions. Is this a known bug or am I doing something wrong?
All in all we can't get it to work as easy as we thought, hope that someone here can put us in the right direction!