Client Certificate Authentication in .NET (Windows Server)

Question

I have a very weird issue with a Web Application I have deployed.

Relevant Data:

Application Server: IIS 7.5
Server: Windows Server 2008 R2 Standard SP1
Framework: ASP.NET
.NET Framework: 4 (4.0.30319)
Application Pool: Integrated

I the web application I make use of a service that's authenticated with Client Certificate Authentication. I don't have problems relating to the authentication itself (it is working on my development environment). But I am seeing problems whenever I want to use the service from the server (production) environment.

Here's the relevant portion of the CODE:

private void SetupClienteCertificate(HttpWebRequest req)
{
        var binding = new BasicHttpBinding();
        binding.Security.Mode = BasicHttpSecurityMode.Transport;
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
        var crt = new X509Certificate2(
            txtClientCertificateFile.Text, 
            txtCertificatePassword.Text, 
            X509KeyStorageFlags.MachineKeySet
        );
        req.ClientCertificates.Add(crt);
}

The error I am getting is pretty common and self explanatory:

The request was aborted: Could not create SSL/TLS secure channel.

The very weird part of it is that if I run the exact same code from a C# .Net Windows Forms Desktop Application (with the same .NET 4 framework) I can get the code to communicate with the server.

So my question is: Why is it working from the Desktop Application and not working from the ASP.NET Web Application?

Some stuff that I've already made sure of:

1. SSLv3, TLS, TLSv1, TLSv2 are enabled in the registry
2. I am ignoring SSL CERTIFICATE ERRORS (not necessary, but JUST IN CASE )
3. Restarted the Application Pool every time I change something configuration wise.

Any ideas?

Answer 1

I think I get your problem. Can you ensure the account under which application pool is running have sufficient privilege to read certificate from certificate store .