MVC App and API Communication Issue on Local IIS with Client Authentication

I have inherited an ASP.NET MVC Application and an ASP.NET Web Api which both use SSL along with the api requiring client certificates. Both have been in production for over a year now with minor changes.

For development everything was originally set up with IIS Express and everything worked fine but now I have a requirement to move the local dev environment out of IIS Express and into Local IIS. My problem is all requests from the app to the api are failing with my setup.

I think I have my IIS (Windows 7 IIS 7.5) setup correct but it’s possible I could have something wrong. I have two different sites running on different ports for the api and app as well as what looks to be the appropriate settings for SSL and one to one mapping. Both sites have different app pools with two local users setup (I tried NetworkService originally). I added two domains to my host file (localapp.com and localapi.com) and I created two certificates for both domains with makecert. The api certificate is marked for server authentication and the app certificate is marked for server and client authentication (I have tried separate certificates for both purposes). The two SSL certificates have private keys that were marked as exportable when added to the certificate store and I have given private key permissions to the two local accounts. My self-signed root certificate is added to the LocalMachine root certificate store and the two site certificates (signed with the root certificate) are in the LocalMachine personal store. I can connect to both sites independently and don’t receive any warnings about certificate errors.

If I access an api URL through Chrome I can select the appropriate client certificate and see the JSON data expected. Accessing the app is similar in that I don’t get any certificate warnings but no data is being returned in any api calls it makes.

The app is using RestSharp for its HTTP requests and I have verified through debugging that the correct client certificate is being added to the request and a private key does exist. The code that is adding the certificate to the request should be fine since it has been running for over a year and nothing has changed. Every api request from the app returns

“System.ComponentModel.Win32Exception: The credentials supplied to the package were not recognized”

and

“The request was aborted: Could not create SSL/TLS secure channel.”

If I look into the network trace I get the following in regards to the localapp.com certificate…

System.Net Information: 0 : [6564] SecureChannel#37489757 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [6564] SecureChannel#37489757 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [6564] SecureChannel#37489757 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=localapp.com
  Simple Name: localapp.com
  DNS Name: localapp.com

[Issuer]
  CN=DevRoot
  Simple Name: DevRoot
  DNS Name: DevRoot

[Serial Number]
  975C024DB7A08A9A48BE78F3382D4A93

[Not Before]
  12/31/2015 11:00:00 PM

[Not After]
  12/30/2039 11:00:00 PM

[Thumbprint]
  28F3032F0E6ED488CFFE6706D3B17F851EFE1860

[Signature Algorithm]
  sha512RSA(1.2.840.113549.1.1.13)

[Public Key]
  Algorithm: RSA
  Length: 4096
  Key Blob: 30 82 02 0a 02 82 02 01 00 a9 c2 27 fc 60 11 1d 99 fe 1e e7 fb 05 b4 75 33 4a e3 d5 33 15 0c 9d 72 6a 3a df e2 58 49 20 34 39 59 77 7e 85 f7 fa 93 53 92 1d fa 63 32 98 b1 66 74 b6 60 23 e2 2b 97 f6 d9 ce bb 0a 1a ae 2f c8 a1 44 6f 60 12 9a bd b6 33 87 90 8d 1c 1f 61 7e f5 85 41 de 30 11 78 01 72 6b eb 77 8e 1b 9f 58 45 f6 ad 0d d3 2d ec 59 1d 63 2a 18 2f 77 87 6c a3 fe ee 68 2e 12 94 6a d5 ce 69 77 98 f2 14 bd bb ff eb 49 ac 1d a5 06 bf 97 51 0e 36 e6 8f 55 45 a3 91 29 77 94 93 1a 78 54 ....
System.Net Information: 0 : [6564] SecureChannel#37489757 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [6564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [6564] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [6564] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [6564] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [16268] Socket#3648821::Dispose()
System.Net Error: 0 : [16268] Exception in HttpWebRequest#16098066:: - The request was aborted: Could not create SSL/TLS secure channel..
System.Net Verbose: 0 : [16268] HttpWebRequest#16098066::EndGetResponse()
System.Net Error: 0 : [16268] Exception in HttpWebRequest#16098066::EndGetResponse - The request was aborted: Could not create SSL/TLS secure channel..

The trace log looks like I don’t have permissions set up correctly but I have explicitly given the local users permissions to the private keys for both the app and api certificates. Everyone else with the 0X8009030D error looks to have solved the issue by adding the app pool user to the private key permissions. If I go to Manage Private Keys in the MMC snap in for the localapp.com certificate I see my LocalApp and LocalApi users having read permissions.

I am completely out of ideas on things I can try to get the communication to work. It is probably something very simple but no matter what I try it just won’t work.

Anyone ever try this set up before and have success or anyone have ideas I can try to get this working?

Any help is greatly appreciated.

Thanks in advance!

-Aaron