IIS 7 also creates "IUSR" as default user to access files via IIS. So make user IUSR has read access to files/folders.
How to check if IUSR has read Access?
Right Click -> Folder -> Properties -> Security Tab
See if IUSR is in Group or user names list, If No.
Click Edit -> Add -> Advanced -> Find Now -> Select IUSR and click OK four times
Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect can be configured for VPN on-demand for certain destination hosts/networks as they are part of the route and can realize the need to establish a VPN connection first in order to connect to those hosts/networks;
So in case of your Linux based PPTP VPN server, as far as that server is not your default routing gateway, VPN on Demand is meaningless. In this configuration your server should be a Cisco IPSEC compatible Gateway on linux and your iOS devices' default routing gateway too.
In case of Apple iOS device, VPN on Demand allows iOS device to establish a transparent and secure connectivity to a remote enterprise network with no more manual configuration at user side.
This VPN on Demand feature cannot be manually configured on the iOS device and requires a certificate-based authentication and is currently supported on Cisco IPSec, Juniper Junos Pulse, and Cisco AnyConnect.
In order to activate and configure it on iOS devices, you must create a configuration profile and then provision the device.
Another form of VPN on Demand is available on Mac OSX devices where Safari decides to establish a VPN connection to connect to certain domains/networks (e.g. vpn.mycompany.com) that you have already listed as VPN on Demand and configured its connection settings profile (password/certificate).
More Info:
iOS VPN on Demand:
http://www.0x8847.net/2010/07/iphone-os-vpn-on-demand/
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
OSX VPN on Demand:
http://docs.info.apple.com/article.html?path=Mac/10.6/en/15575.html
For a Cisco IPSec Gateway on Linux, I recommend you use Open source package StrongSwan for your iOS VPN on Demand
http://www.strongswan.org/
Use --enable-cisco-quirks parameter to build StrongSwan to make it compatible with Cisco IPSEC.
It is a stable certification based, IPsec Gateway on linux that is compatible with iOS VPN on Demand requirements.
Check following link for setup iOS on StrongSwan:
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
Authentication uses XAUTH and certificates (authby=xauthrsasig).The described setup has been tested and confirmed working on an iPad 2 with iOS 4.3.1, but is expected to work on all other iOS devices (iPhone, iPad, iPod Touch) running an up to date iOS version.
Best Answer
I would put this as a commment, but I dont have enough reputation D:
First you need an asp.net website with certificate authentication, you don't need to worry about the iPad part at this point, just get the website running on localhost, most of the configuration is done on the web.config(at least it is for a web service, my experience with certificate authentication is only in WCF, but I assume asp.net should be the same way).
After that I would try to connect to the site with different browsers using different certificates, to check if everything works correctly.
And finally after it's working on your desktop you should try your site on the iPad. With this part I have no idea how it works exactly(i don't own any iDevices), but if it's like a desktop browser, you should be able to choose the certificate when you try to access the website.
Let me know if this made any sense to you lol