Microsoft KB Archive/252657: Difference between revisions

From BetaArchive Wiki
(importing KB archive)
 
m (Text replacement - """ to """)
 
Line 44: Line 44:
== SYMPTOMS ==
== SYMPTOMS ==


When you connect to a secure (HTTPS) Web site, you may be presented with a "Client Authentication" dialog box, prompting you to select a client certificate to use for authentication with the IIS computer. When you select a client certificate, you may be denied access and the following error message may occur:
When you connect to a secure (HTTPS) Web site, you may be presented with a "Client Authentication" dialog box, prompting you to select a client certificate to use for authentication with the IIS computer. When you select a client certificate, you may be denied access and the following error message may occur:
<div class="errormessage">
<div class="errormessage">


Line 58: Line 58:
This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the IIS computer.<br />
This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the IIS computer.<br />
<br />
<br />
If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to &quot;Trust Only Enterprise Root Stores.&quot;
If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to "Trust Only Enterprise Root Stores."


</div>
</div>
Line 72: Line 72:


</div>
</div>
If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to &quot;Trust Only Enterprise Root Stores.&quot; If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.<br />
If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to "Trust Only Enterprise Root Stores." If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.<br />
<br />
<br />
To work around this issue, remove the Group Policy '''Trust only Enterprise Root stores''' option for the domain. To do this, perform the following steps:
To work around this issue, remove the Group Policy '''Trust only Enterprise Root stores''' option for the domain. To do this, perform the following steps:

Latest revision as of 12:51, 21 July 2020

Knowledge Base


IIS 5.0: HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid.

Article ID: 252657

Article Last Modified on 1/11/2007



APPLIES TO

  • Microsoft Internet Information Services 5.0



This article was previously published under Q252657

SYMPTOMS

When you connect to a secure (HTTPS) Web site, you may be presented with a "Client Authentication" dialog box, prompting you to select a client certificate to use for authentication with the IIS computer. When you select a client certificate, you may be denied access and the following error message may occur:

HTTP 403.16 Forbidden: Client certificate untrusted or invalid.

CAUSE

This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the IIS computer.

If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to "Trust Only Enterprise Root Stores."

WORKAROUND

If you do not have a client certificate that was created by a CA trusted by the IIS computer, you can either request a new client certificate from a Certificate Authority that is trusted by the IIS computer or have an administrator configure the IIS computer to trust the CA that created your client certificate. For additional information on installing new Trusted Certificate Authorities on the IIS computer, click the article number below to view the article in the Microsoft Knowledge Base:

216339 Using Secure Sockets Layer, Root Certifying Authority Certificates, and Iisca.exe


If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to "Trust Only Enterprise Root Stores." If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.

To work around this issue, remove the Group Policy Trust only Enterprise Root stores option for the domain. To do this, perform the following steps:

  1. Start the Default Domain Policy Group Policy Editor.
  2. Select Computer Settings, choose Computer Configuration, and then select Windows Settings.
  3. Choose Security Settings, select Public Key Policies and then choose Trusted Root Certification Authorities.
  4. Right-click Trusted Root CA node, and then select Properties.
  5. Disable the Trust only Enterprise Root stores option.


STATUS

Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.



Additional query words: IIS 5

Keywords: kbbug kbfix kbprod2web KB252657