This is what I wish to achieve:
My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.
I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?
You can use standard HTTP Authentication to control which applications have access to your web service.
Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.
I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.
Here are a few articles that may be helpful: