Mutual certificates authentication fails with error 403.16

17

I'm using Windows Server 2012 and IIS 8.5. I've set SSL for the website and the SSL Settings are: Require Required and Require Client Certificates.

The client certificate that I'm sending to the server has been issued by a self-signed authority (let's called it MyCompany CA). MyCompany CA certificate has been successfully installed in the Local Computer Account - Trusted Root Certification Authorities. It's expiration date is 2039, so is the client certificate expiration date.

However, with all this setup, I'm getting an error 403.16 as result. I've enabled Failed Request Tracing Rules and managed to log an erroneous request and got some extra details about it:

52.- MODULE_SET_RESPONSE_ERROR_STATUS - Warning ModuleName - IIS Web Core Notification - BEGIN_REQUEST HttpStatus - 403 HttpReason - Forbidden HttpSubStatus - 16 ErrorCode - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800b0109) ConfigExceptionInfo

I've checked multiple sites regarding the result 403.16 and error code 0x800b0109 and all of them points to the certification authority not been installed in Local Computer - Trusted Root Certification Authorities, but that's not my case.

Thanks!

ssl
iis
http-status-code-403
client-certificates
asked on Stack Overflow Dec 1, 2014 by Javier Holguera • edited Jun 14, 2018 by abatishchev

3 Answers

54

I have been working on this for a long time and finally found it!

Add a new key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

Refresh the webpage, select the certificate and watch the magic happen.

Research

Using Windows 8 and IIS 8.5 I followed the instructions here http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/.

Certificates were created in the correct place and everything configured in IIS properly but I kept getting 403.16 errors.

After the many MSDN articles and other attempts failed I found the following registry setting.

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False, or delete this key entirely)

Here is some more information about this specific setting (found here: http://technet.microsoft.com/en-us/library/hh831771.aspx)

Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD “ClientAuthTrustMode” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel.

0 Machine Trust (default) Requires that the client certificate is issued by a certificate in the Trusted Issuers list.

1 Exclusive Root Trust Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list

2 Exclusive CA Trust Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store. For information about authentication failures due to trusted issuers configuration issues, see Knowledge Base article 280256.

Hope this work for you as well.

answered on Stack Overflow Dec 3, 2014 by Brett
5

I have tried the solution suggested above and it works fine.

An alternative solution which doesn't involve editing the registry:

https://support.microsoft.com/en-us/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012

The main point from this article is to remove all non-signed certificates from the Local Computer Trusted Root folder.

If you use group policies to deploy certificates, make sure that the Trusted Root Certification Authorities store only contains self-signed certificates (certificates in which the certificate property "Subject" is the same as the certificate property "Issuer"). Move any certificates that are not self-signed certificates from the Trusted Root Certification Authorities store to the Intermediate Certification Authorities store.

If you import new certificates manually, make sure that you select the computer’s Trusted Root Certification Authorities store for the self-signed certificates, and the computer’s Intermediate Certification Authorities store for the certificates that are not self-signed certificates.

You can find all the non-self signed certificates by using the Powershell script:

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"

Move those certs to the Intermediate Certification Authorities folder in mmc.

answered on Stack Overflow Jan 30, 2017 by zakmyster
2

I had to reboot the server to get the ClientAuthTrustMode setting to apply.

answered on Stack Overflow May 3, 2016 by dezdez

User contributions licensed under CC BY-SA 3.0