Scenario:
- A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
- WebService A does some work, prepares to call WebService B.
- WebService B requires a client cert (*.cer) and SSL.
- WebService A is on a dedicated Windows 2003 server.
- Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
- The certificates are stored on disk at
C:\MyCertificates\
- The certificate is being applied at runtime successfully in Dev with this snippet:
myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));
Problem: WebService A is calling WebService B, and the returned exception is:
The request failed with HTTP status 403: Forbidden
This really means that the certificate was not sent in the request to WebService B.
I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).
Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?