HTTP error 403.16 - client certificate trust issue

41
votes

I am trying to implement client certificate authentication on IIS 8. I have deployed my configuration on a development machine and verified it working as expected there. However after setting up on the server, whenever I navigate to the site and am prompted for the client cert, I select it and immediately get the 403.16 error. The failed requests log gives the error code 2148204809 and message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

I have a valid client cert and also a valid CA cert. The CA cert is installed in Trusted Root Authorities on the computer account on both the server and the client machine, and the client cert is installed in the Personal area of the Current User account on the client machine.

The client cert is signed directly by the root CA and as I said, both are valid. There are no other certs in the chain and there are no intermediate certs in the Trusted Root Authorities area.

The IIS configuration has sslFlags = SslNegotiateCert and iisClientCertificateMappingAuthentication is enabled.

The server is not configured to send a CTL and we have SendTrustedIssuerList = 0.

I cannot see why the client cert should not be trusted.

4
iissslcertificateclient-certificates
What about CRL? Is it reachable?pepo
I can't see it as an issue...there is no CDP field on either cert and no OCSP URLs. I also checked the disallowed list in the untrusted certs store and neither cert is in there.Eric
I just answered this question here: stackoverflow.com/a/27282889/393159Brett

4 Answers

123
votes

Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code.

To solve the problem, you have to remove all non-self-signed certificates from the root store. This PowerShell command will identify non-self-signed certificates:

Get-Childitem cert:\LocalMachine\root -Recurse | 
    Where-Object {$_.Issuer -ne $_.Subject}

In my situation, we moved these non-self-signed certificates into the Intermediate Certification Authorities (i.e. CA) store:

Get-Childitem cert:\LocalMachine\root -Recurse | 
    Where-Object {$_.Issuer -ne $_.Subject} | 
    Move-Item -Destination Cert:\LocalMachine\CA

According to KB 2801679: SSL/TLS communication problems after you install KB 931125, you might also have too many trusted certificates.

[T]he maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.

The solution in this situation is to remove any certification authority certificates you don't trust, or to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\@SendTrustedIssuerList registry entry to 0 (the default, if not present, is 1).

6
votes

In my case I'd been adding the root cert into the 'current user' certificate store on the server and was getting the 403.16 error.

Adding my root cert to the Trusted Root Authorities store for the local machine resolved the issue.

Follow the steps below on the server running IIS.

For Windows Server 2008 R2:

  1. Right click on the certificate file and select 'Install Certificate'. Click next.
  2. Select 'Place all certificates in the following store' and click 'Browse...'
  3. Check 'Show physical stores'
  4. Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
  5. Click Next/Click Finish.

For Windows Server 2012 R2:

  1. Right click on the certificate file and select 'Install Certificate'.
  2. Select 'Local Machine'. Click Next.
  3. Select 'Place all certificates in the following store' and click 'Browse...'
  4. Select 'Trusted Root Certification Authorities'. Click OK.
  5. Click Next/Click Finish.

For Windows 7:

  1. Start -> Run -> mmc.exe
  2. File -> 'Add or Remove Snap-ins'. Select 'Certificates', click 'Add >' and select 'Computer account' and then 'Local computer'. Click Finish/OK
  3. Expand Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates. Right click on Certificates and select All Tasks -> Import.
  4. Select the certificate file and click next.
  5. Select 'Place all certificates in the following store' and click 'Browse...'
  6. Check 'Show physical stores'
  7. Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
  8. Click Next/Click Finish.
0
votes

I got this error in IIS Express:

HTTP Error 403.16 - Forbidden

Your client certificate is either not trusted or is invalid.

Looking at the TraceLogFiles I saw the following error:

<RenderingInfo Culture="en-US">
 <Opcode>MODULE_SET_RESPONSE_ERROR_STATUS</Opcode>
 <Keywords>
  <Keyword>RequestNotifications</Keyword>
 </Keywords>
 <freb:Description Data="Notification">BEGIN_REQUEST</freb:Description>
 <freb:Description Data="ErrorCode">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
(0x800b0109)</freb:Description>
</RenderingInfo>

Turned out when I installed Razer Synapse the installation also put a certificate for chromasdk.io in Trusted Root Certification Authorities under Computer Account -> Local computer. I removed this and then everything worked.

0
votes

Just sharing my experience with Windows 2019 server and IISExpress in combination with a self-signed certificate. I couldn't get it working with editing the registry and in the end I didn't need to.

The following three steps got me there:

  1. Generate a root certificate for the localmachine cert store with powershell: $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=TestRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsageProperty Sign -KeyUsage CertSign

  2. Generate a client certificate for the localuser cert store, based on the root cert with powershell: New-SelfSignedCertificate -Type Custom -Subject "CN=TestChildCert" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=test@local") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My"

  3. Move the root cert from Personal\Certificates to Trusted Root Certification\Certificates

After this I could select the TestChildCert and it was accepted just fine.