Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch
Ondrej Sevecek's English Pages > Posts > HTTPS error 403.16 when using Client Authentication certificate against IIS web server running on Windows 2012 R2
May 16
HTTPS error 403.16 when using Client Authentication certificate against IIS web server running on Windows 2012 R2
by  Ondřej Ševeček  on 16/05/2016 17:20

Today, I was presenting some client certificate and smart card authentication against web applications running on Windows 2012 R2 and it did not work. I did this before milion times without any problem, but today, the following symptoms appeared:

Error 403 - Forbidden, access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
The client certificate used for this request is not trusted by the web server.

sc-win32-status = 2148204809 = 0x800b0109 = CERT_E_UNTRUSTEDROOT

After some debugging yielded nothing I went searching and found this one.

There seems to be some update or something that imported one non-self-signed certificate into the web server's Trusted Root Authorities certificate store. The faulty guy was called VeriSign Class 3 Code Signing 2010 CA which is actually an intermediate certificate signed by root CA called VeriSign Class 3 Public Primary Certification Authority - G5.

Once I moved the VeriSign Class 3 Code Signing 2010 CA intermediate certificate from the trust root to the Intermediate Certification Authorities certificate store, the problem immediatelly disappeared.

Nobody knows what hell component put this VeriSign Class 3 Code Signing 2010 CA into my trusted root certification authorities store. I suspect SharePoint 2013. That guy is weird, isn't it?

Permanent Link to Post | Email Post Link | Number of Comments 5 Comment(s)

Comments

Re: HTTPS error 403.16 when using Client Authentication certificate against IIS web server running on Windows 2012 R2

no. SharePoint is not the culprit. It was the USB over Network which adds the certificate there - probably it is signed with the certificate and the intermediate cert gets installed along.
 on 16/05/2016 22:30

Thank you!

Wow amazing. I had a WCF service requiring client certificate authentication that I had working swimmingly after spending a good amount of time getting everything set up. After a month of distraction on other work, I came back to the service and was failing to authenticate. All my logging including capturing the certificate chain indicated that all the certs were still in the proper stores and not expired. Finally after visiting my IIS logs I noticed the 403.16 which led me to your very specific post. Lo and behold I had the exact same VeriSign Class 3 Code Signing 2010 CA cert in my Trusted Root store. No idea how it may have gotten placed there over the past month. Thank you very much I spent an entire day troubleshooting until I found your post at COB. Definitely helped me sleep better last night.
 on 04/01/2017 15:21

Regarding what put the cert there

To follow up on what you suspect may have placed the cert in your Trusted Root store. I do not have Sharepoint installed. However, in the past month I did install VS 2015 Enterprise. It is the only recent change on my system I can think of...
 on 04/01/2017 17:14

Exactly same problem and solution!

Thanks a lot, you saved my day!
 on 01/03/2018 05:09

Re: HTTPS error 403.16 when using Client Authentication certificate against IIS web server running on Windows 2012 R2

Thank you Ondřej Ševeček for sharing this article on internet . It really helped me in resolving a long pending issue .
 on 25/07/2019 10:29

Add Comment

Sorry comments are disable due to the constant load of spam *


This simple antispam field seems to work well. Just put here the number.

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Attachments