Microsoft KB Archive/884115

= You receive a &quot;403.13 client certificate revoked&quot; error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0 =

Article ID: 884115

Article Last Modified on 12/3/2007

-

APPLIES TO

 Microsoft Internet Information Services 6.0, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) 

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
When you connect to a computer that is running Microsoft Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0, you may receive the following error message after you select a certificate:

403.13 Client Certificate Revoked

<div class="cause_section">

CAUSE
You may receive this error message if mutual authentication is enabled.

This problem occurs because of a certificate revocation list (CRL) retrieval timeout. Windows Server 2003 introduces new Microsoft Cryptography API (CAPI) behavior regarding network timeouts. This change was first made to address the problem of long delays that occur because of CAPI blocking during CRL retrievals when the target URL is inaccessible.

In Windows Server 2003, the default timeout is set to 15 seconds. Windows Server 2003 includes a feature that retries the download on a background thread with a default timeout of 60 seconds. CRLs that reside on a Lightweight Directory Access Protocol (LDAP) URL may be particularly affected because of reduced throughput.

<div class="workaround_section">

WORKAROUND
To work around this problem, manually download the CRL, and then install it to the local computer certificate store.

Note Because the CRL is valid only for a limited time, you must retrieve a new CRL periodically.

To install a CRL to the local computer certificate store, follow these steps: <ol> Log on to the computer as a member of the local administrators group.</li> Open the Certificates snap-in for the Computer account. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type mmc, and then click OK.</li> On File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.</li> On the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.</li> In the Available Standalone Snap-ins list, click Certificates, and then click Add.</li> Click Computer account, and then click Next.</li> Click Local computer, and then click Finish.</li> Click Close, and then click OK.</li></ol> </li> Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.</li> Follow instructions in the wizard to complete the installation.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Windows Server 2003 Service Pack 1 (SP1) is scheduled to include configurable timeout settings that are similar to those that are documented in the following article in the Microsoft Knowledge Base:

841632 You receive the &quot;403.13 client certificate revoked&quot; error message after you install the MS04-11 security update

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

841641 IIS returns a &quot;403.13 Client Certificate Revoked&quot; error message after you install MS04-011 because of Wininet proxy settings

841642 Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

Keywords: kbtshoot kberrmsg KB884115

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.