Q252657: IIS 5.0: HTTP 403.16 Forbidden: Client certificate Untrusted
Article: Q252657
Product(s): Internet Information Server
Version(s): winnt:5.0
Operating System(s):
Keyword(s): kbOSWin2000 kbiis500prod2web kbhttp40316 kbProd2Web
Last Modified: 31-JUL-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Information Services version 5.0
-------------------------------------------------------------------------------
SYMPTOMS
========
When you connect to a secure (HTTPS) Web site, you may be presented with a
"Client Authentication" dialog box, prompting you to select a client certificate
to use for authentication with the IIS computer. When you select a client
certificate, you may be denied access and the following error message may
occur:
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
CAUSE
=====
This error can occur if you choose a client certificate created by a Certificate
Authority (CA) that is not trusted by the IIS computer.
If the client certificate was created by a CA that is trusted by the IIS
computer, then it is possible this error is caused by a known issue with Windows
2000 when it is configured to "Trust Only Enterprise Root Stores."
WORKAROUND
==========
If you do not have a client certificate that was created by a CA trusted by the
IIS computer, you can either request a new client certificate from a Certificate
Authority that is trusted by the IIS computer or have an administrator configure
the IIS computer to trust the CA that created your client certificate. For
additional information on installing new Trusted Certificate Authorities on the
IIS computer, click the article number below to view the article in the
Microsoft Knowledge Base:
Q216339 Using Secure Sockets Layer, Root Certifying Authority Certificates,
and Iisca.exe
If you do have a client certificate that was created by a CA trusted by the IIS
computer, then it is possible that your Windows 2000 domain has been configured
with a group policy that forces the IIS computer to "Trust Only Enterprise Root
Stores." If this policy is in enabled, the authentication will still fail, even
if the CA is a Trusted Root Store.
To work around this issue, remove the Group Policy Trust only Enterprise Root
stores option for the domain. To do this, perform the following steps:
1. Start the Default Domain Policy Group Policy Editor.
2. Select Computer Settings, choose Computer Configuration, and then select
Windows Settings.
3. Choose Security Settings, select Public Key Policies and then choose Trusted
Root Certification Authorities.
4. Right-click Trusted Root CA node, and then select Properties.
5. Disable the Trust only Enterprise Root stores option.
STATUS
======
Microsoft has confirmed this to be a problem in Microsoft Internet Information
Services version 5.0.
Additional query words: IIS 5
======================================================================
Keywords : kbOSWin2000 kbiis500prod2web kbhttp40316 kbProd2Web
Technology : kbiisSearch kbiis500
Version : winnt:5.0
Issue type : kbbug
Solution Type : kbfix
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.