Two days ago, I configured a web application on IIS 8.5, which requires a client SSL certificate for authentication. Client certificate and server certificate were from the same CA, they trust each other without any problem, and none of them were even near to expiry date. Still, the application was giving this error code 403 — Forbidden.
At a very high level under the IIS server, I received a 403 error code, which means the content is forbidden but after a deeply check of the server logs (By default, IIS stores its log files in %WINDIR%\System32\Logfiles), I got an error code like 403.1 or 403.16 or 403.20.
The error suggests that there is some problem with the client certificate, but the real problem is with the server hosting the IIS website and having the server-side certificate. The server is not able to check the revocation of the certificate from the Trusted Root Authority.
To solve this issue, open the registry editor and navigate to under the following path
Create a new D-Word entry name ClientAuthTrustMode and put 2 in the data field, which means that the revocation will not be checked.