I have an ASP.NET MVC3 application with an action filter attribute applied to a controller:
public class MyFilterAttribute : ActionFilterAttribute
public override void OnActionExecuting(
"MyFilterAttribute", "entered" );
public override void OnResultExecuted(
"MyFilterAttribute", "exited" );
public class MyController : Controller
public ActionResult MyAction()
return new EmptyResult();
// lots of stuff, then
sslFlags="SslNegotiateCert" requests that IIS opens a mutually verified channel which is not the default behavior. I looked into IIS logs and it's HTTP 403.16 (client certificate untrusted) all the time. Because the client certificate is self-signed IIS doesn't trust it and so fails to open a mutually verified channel.
Either I have to not use
SslNegotiateCert (and then the client certificate is not passed to application code) or I need a certificate which IIS trusts (this answer explains how that can be achieved).