Today, I was presenting some client certificate and smart card authentication against web applications running on Windows 2012 R2 and it did not work. I did this before milion times without any problem, but today, the following symptoms appeared:
Error 403 - Forbidden, access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
The client certificate used for this request is not trusted by the web server.
sc-win32-status = 2148204809 = 0x800b0109 = CERT_E_UNTRUSTEDROOT
After some debugging yielded nothing I went searching and found this one.
There seems to be some update or something that imported one non-self-signed certificate into the web server's Trusted Root Authorities certificate store. The faulty guy was called VeriSign Class 3 Code Signing 2010 CA which is actually an intermediate certificate signed by root CA called VeriSign Class 3 Public Primary Certification Authority - G5.
Once I moved the VeriSign Class 3 Code Signing 2010 CA intermediate certificate from the trust root to the Intermediate Certification Authorities certificate store, the problem immediatelly disappeared.
Nobody knows what hell component put this VeriSign Class 3 Code Signing 2010 CA into my trusted root certification authorities store. I suspect SharePoint 2013. That guy is weird, isn't it?