HTTP error 403.16 - client certificate trust issue

iis ssl certificate client-certificates
64,210

Solution 1

Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code.

To solve the problem, you have to remove all non-self-signed certificates from the root store. This PowerShell command will identify non-self-signed certificates:

Get-Childitem cert:\LocalMachine\root -Recurse | 
    Where-Object {$_.Issuer -ne $_.Subject}

In my situation, we moved these non-self-signed certificates into the Intermediate Certification Authorities (i.e. CA) store:

Get-Childitem cert:\LocalMachine\root -Recurse | 
    Where-Object {$_.Issuer -ne $_.Subject} | 
    Move-Item -Destination Cert:\LocalMachine\CA

According to KB 2801679: SSL/TLS communication problems after you install KB 931125, you might also have too many trusted certificates.

[T]he maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.

The solution in this situation is to remove any certification authority certificates you don't trust, or to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\@SendTrustedIssuerList registry entry to 0 (the default, if not present, is 1).

If the issue continues to persist after the above steps, restart the machine.

Solution 2

In my case I'd been adding the root cert into the 'current user' certificate store on the server and was getting the 403.16 error.

Adding my root cert to the Trusted Root Authorities store for the local machine resolved the issue.

Follow the steps below on the server running IIS.

For Windows Server 2008 R2:

  1. Right click on the certificate file and select 'Install Certificate'. Click next.
  2. Select 'Place all certificates in the following store' and click 'Browse...'
  3. Check 'Show physical stores'
  4. Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
  5. Click Next/Click Finish.

For Windows Server 2012 R2:

  1. Right click on the certificate file and select 'Install Certificate'.
  2. Select 'Local Machine'. Click Next.
  3. Select 'Place all certificates in the following store' and click 'Browse...'
  4. Select 'Trusted Root Certification Authorities'. Click OK.
  5. Click Next/Click Finish.

For Windows 7:

  1. Start -> Run -> mmc.exe
  2. File -> 'Add or Remove Snap-ins'. Select 'Certificates', click 'Add >' and select 'Computer account' and then 'Local computer'. Click Finish/OK
  3. Expand Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates. Right click on Certificates and select All Tasks -> Import.
  4. Select the certificate file and click next.
  5. Select 'Place all certificates in the following store' and click 'Browse...'
  6. Check 'Show physical stores'
  7. Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
  8. Click Next/Click Finish.
Share:
64,210
Eric
Author by

Eric

Updated on July 09, 2022

Comments

  • Eric
    Eric almost 2 years

    I am trying to implement client certificate authentication on IIS 8. I have deployed my configuration on a development machine and verified it working as expected there. However after setting up on the server, whenever I navigate to the site and am prompted for the client cert, I select it and immediately get the 403.16 error. The failed requests log gives the error code 2148204809 and message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

    I have a valid client cert and also a valid CA cert. The CA cert is installed in Trusted Root Authorities on the computer account on both the server and the client machine, and the client cert is installed in the Personal area of the Current User account on the client machine.

    The client cert is signed directly by the root CA and as I said, both are valid. There are no other certs in the chain and there are no intermediate certs in the Trusted Root Authorities area.

    The IIS configuration has sslFlags = SslNegotiateCert and iisClientCertificateMappingAuthentication is enabled.

    The server is not configured to send a CTL and we have SendTrustedIssuerList = 0.

    I cannot see why the client cert should not be trusted.

  • Thomas Zweifel
    Thomas Zweifel about 8 years
    Great answer! After hours of Investigation this answer saved our lives!
  • Shubh
    Shubh about 8 years
    Adding my root cert to the Trusted Root Authorities store for the local machine resolved the issue. I am not sure.. How??
  • PST
    PST about 8 years
  • inser
    inser over 7 years
    Man, this is my favorite answer on this site. I spent 2 days trying to understand what's wrong with Client certificate validation and why my trusted cert is not valid. The problem was that I have 1 not self-signed certificate in trusted root authority. Thank you very much!!!
  • Francis Norton
    Francis Norton about 7 years
    Really appreciate having both the one-liner diagnostic and the one-liner fix for the first scenario - classy way to deliver an already good answer.
  • Derek Hunziker
    Derek Hunziker over 6 years
    Here because xConnect and @nsgocev ;)
  • Brandon Gano
    Brandon Gano about 6 years
    I wish I'd found your answer sooner! We randomly started seeing 403 responses from a web service after updating a certificate the service used to validate requests. Your second PowerShell command above fixed the issue and we're back up and running.
  • theMayer
    theMayer over 5 years
    It's also important to note that you should make sure you're looking at the LocalMachine account, as certmgr opens up with the current user by default (you have to open it with MMC in administrative mode).
  • Slobo80
    Slobo80 over 5 years
    It solved my problem on win10 1809 running iis express.
  • Pani
    Pani over 3 years
    Aaron, Your document is very helpful, however in our case application will work for a while and again it start throwing 403.16. We believe, This is happening because the non self sign certificate which is moved to "Intermediate Certificate Authorities" re appear in root after few minuets, we guessing it could be due to group policy update. However, if we move that By running your 2nd PowerShell, Issue will not resolve, it keep showing 403.16. What other reasons could cause 403.16. Please assist.
  • user2966445
    user2966445 about 3 years
    Is there a way around this issue other than moving the certs from root (which I don’t have access to do?) IIS is returning a 403.16 error for a valid cert and I do see a couple of intermediate certs in the root store (not related to the chain of the cert I’m using though).
  • Aaron Jensen
    Aaron Jensen about 3 years
    Not that I’m aware of. :-(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can you check/monitor the client certificates sent in requests using Wireshark?
How to create a self-signed SSL certificate with subject alternate names (SAN) for IIS websites
Have both Hostname and FQDN in SSL Certificate on IIS
How to create self signed wildcard (*.example.com) certificate
Can I use Active Directory as a CA for creating test SSL certificates for IIS?
IIS7 Not sending Intermediate SSL Certificate
IIS 7.0 - SSL certificate - renew or new?
SSL certificate sometimes stops working
Mutual certificates authentication fails with error 403.16
SSL Certificate missing from dropdown in SQL Server Configuration Manager