Click here to Skip to main content
14,427,617 members
Rate this:
Please Sign up or sign in to vote.
We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.

I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it's working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y. But in the Server X if I pass invalid certificate it's throwing 401 Unauthorized but if I pass SYST Client Certificate it's working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response. I verified both the server configurations everything appears same and I don't see any difference. I identified this issue by stopping the site alternatively in both the servers.

We are using "iisClientCertificateAuthenticationMapping" and in that we have set the "manyToOneCertificateMappingsEnabled" as False and "oneToOneCertificateMapingsEnabled" as True and for "oneToOneMappings" I have set the userName, password and certificate(base64string).

Can you guys please let me know what are the possible reasons for the X server's incorrect behavior.


Server X
Server Y

What I have tried:

I restarted the App Pool analysed with Wireshark logs
Updated 30-Aug-18 0:58am

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100