Install client certificate for IIS App Pool account

Question

Scenario:

• A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
• WebService A does some work, prepares to call WebService B.
• WebService B requires a client cert (*.cer) and SSL.
• WebService A is on a dedicated Windows 2003 server.
• Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
• The certificates are stored on disk at C:\MyCertificates\
• The certificate is being applied at runtime successfully in Dev with this snippet: myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));

Problem: WebService A is calling WebService B, and the returned exception is:

The request failed with HTTP status 403: Forbidden

This really means that the certificate was not sent in the request to WebService B.

I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).

Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?

Answer 1

This Microsoft knowledgebase article may be of use:

How to call a Web service by using a client certificate for authentication in an ASP.NET Web application (MS KB901183)

Your web service 'A' would effectively be the ASP.NET application calling the web service as described in the article.