403.16 – Client certificate is untrusted or invalid.
At a very high level under IIS server if you receive 403 error code means the content is forbidden but if you deeply check the server logs from IIS you will get an error code like 403.1 or 403.16 or 403.20. For a complete list please follow the under given link which will give you more idea about the error code and description. IIS Error Codes
I faced under given error which took my one month to figure out the solution.
403.16 – Client certificate is untrusted or invalid.
I would like to elaborate my environment a little bit so that it becomes more clear why i was getting this error. I configured a web application on IIS8.5 which requires a client SSL certificate for authentication. Client certificate and server certificate were completely perfect and everything seems normal. Both certificates were from the same CA and trust each other without any problem. None of them were even near to expiry date. Still application was giving this error code: 403 – Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
I Google every bit to find a solution which could solve my problem but still found nothing. Many users shared about windows updates which were released to cure the SCHANNEL vulnerabilities but created these kinds of problems. After removing and restarting my production server still the issue remained there. Under given are the URLs to those security bulletins.
https://technet.microsoft.com/en-us/library/security/ms14-066.aspx?f=255&MSPPError=-2147217396
https://technet.microsoft.com/en-us/library/security/ms15-031.aspx?f=255&MSPPError=-2147217396
As the error suggests that there is some problem with the client certificate. Actually there is no problem with the client certificate. The problem is with the server which is hosting the IIS website and have the server side certificate. The server is not able to check the revocation of the certificate from the Trusted Root Authority. The solution of this problem is given as under:
Resolution
Open the registry editor (Be-careful!!!!!!!)
Navigate to under given path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Create a new D-Word entry name “ClientAuthTrustMode”
Put 2 in the data field (2 mean revocation will not be checked)
This solved my problem and saved my lot of time from moving my production environment to some other server.
Share your views if this post solved your problem or helped you in any way.
Hello,
I run into the same problem time and time again, although whilst is nice to bypass the SSL security in some set circumstances, e.g. lab testing or pre development in non-production servers, it is a good way and regedit should be used to open up the registry edit, I run it from the command prompt under run as “administrator”. It is normally asking you for a security certificate that is from Geotrust or Comodo, they can be also purchased through the following web site http://www.brimains.com – So far, it is good to assign the relevant directories to read write everyone (for the username) and everyone you can set to read/list, be careful when setting ‘everyone’ permissions to read/write although it is good to set this like on public directories accessible by anyone.
You are awesome… I already wasted 3-4 hours and luckily saw your link…and your solution fixed the issue. Thanks a lot man…
Deployed as instructed in this post and after reboot, access to the requested website was restored.
A+++++
Dude you are awesome, I’ve been having this problem on a specific website for two weeks and this solved it. Thanks a million!!
Thanks Bro 🙂
I just deleted my cookies and it went away lol
2016-09-27 03:57:11 W3SVC1 127.0.0.1 GET / – 80 – 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E) 403 4 5
how to fix this error
You need to give write permission to IIS user on the directory where the files are stored. Make sure IIS_IUSRS user have write permission on that directory. If you are still getting this error go windows directory of the server and provide write permission to IIS_ISURS on TEMP directory. I hope this will solve your problem.
whow, a lot of ads circle this great tip. Thanks.
Sorry for the ads, Its being managed by someone else and I am just adding the content. I ll ask my partner to remove some ads.
Was having this exact issue with a DR server (which was a vm clone of Prod). The reg update works fine thanks!
It worked! Thank you so much!
Please share with your contact so that more people can solve this problem.
Thank a lot.u saved my time
Thanks, worked for me!