403 – Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

At a very high level under IIS server if you receive 403 error code means the content is forbidden but if you deeply check the server logs from IIS you will get an error code like 403.1 or 403.16 or 403.20. For a complete list please follow the under given link which will give you more idea about the error code and description. https://support.microsoft.com/en-us/kb/318380

I faced under given error which took my one month to figure out the solution.

403.16 – Client certificate is untrusted of invalid.

I would like to elaborate my environment a little bit so that it becomes more clear why i was getting this error. I configured a web application on IIS8.5 which requires a client SSL certificate for authentication. Client certificate and server certificate were completely perfect and everything seems normal. Both certificates were from the same CA and trust each other without any problem. None of them were even near to expiry date. Still application was giving this error code: 403 – Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.


I Google every bit to find a solution which could solve my problem but still found nothing. Many users shared about windows updates which were released to cure the SCHANNEL vulnerabilities but created these kinds of problems. After removing and restarting my production server still the issue remained there. Under given are the URLs to those security bulletins.



As the error suggests that there is some problem with the client certificate. Actually there is no problem with the client certificate. The problem is with the server which is hosting the IIS website and have the server side certificate. The server is not able to check the revocation of the certificate from the Trusted Root Authority. The solution of this problem is given as under:

Open the registry editor (Be-careful!!!!!!!)

Navigate to under given path


Create a new D-Word entry name “ClientAuthTrustMode”

Put 2 in the data field (2 mean revocation will not be checked)

This solved my problem and saved my lot of time from moving my production environment to some other server.

Share your views if this post solved your problem or helped you in any way.