403.16 — Client certificate is untrusted of invalid

Windows 10 Jun 28, 2021

Two days ago, I configured a web application on IIS 8.5, which requires a client SSL certificate for authentication. Client certificate and server certificate were from the same CA, they trust each other without any problem, and none of them were even near to expiry date. Still, the application was giving this error code 403 — Forbidden.

At a very high level under the IIS server, I received a 403 error code, which means the content is forbidden but after a deeply check of the server logs (By default, IIS stores its log files in %WINDIR%\System32\Logfiles), I got an error code like 403.1 or 403.16 or 403.20.

The error suggests that there is some problem with the client certificate, but the real problem is with the server hosting the IIS website and having the server-side certificate. The server is not able to check the revocation of the certificate from the Trusted Root Authority.

To solve this issue, open the registry editor and navigate to under the following path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Create a new D-Word entry name ClientAuthTrustMode and put 2 in the data field, which means that the revocation will not be checked.

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.