I have been attempting to set up client cert authorization on an IIS endpoint. Following the tutorial at https://joji.me/en-us/blog/how-to-create-an-iis-website-that-requires-client-certificate-using-self-signed-certificates/ I created a root cert, and then a server cert and a client cert from that root cert.
I see that on my server (Windows 2012 R2, using IIS 8.5), when I install the root cert into the Trusted Root certificate store and the client cert into the Personal Store for the current user I am able to browse to the endpoint. I type in the address (https://localhost/foobar/endpointName), a list of client certificates appears for me to choose from, and if I select the correct one I reach the endpoint.
It is a different story remotely. When I try from a different machine that has that same client cert installed in the user's Personal store, I do not get a list of client certs to choose from, I simply get a 403 Unauthorized error. In this case the URL is https://serverCertName.domain.com/foobar/endpointName, where serverCertName.domain.com has the proper A record. I have also attempted this in IE where you can load a cert specifically and got the same result. In the IIS logs on the server I am trying to reach, these attempts are logged as a 403.7.
I have also tried this from code on a remote server using HttpClient (C#) and get an Unauthorized there, as well. I have stared at my screen a good long while trying to figure out what the difference could be here between my local requests and my remote ones, but my Internet search skills are failing me this time.
