Article ID: 252657
This article was previously published under Q252657
When you connect to a secure (HTTPS) Web site, you may be presented with a "Client Authentication" dialog box, prompting you to select a client certificate to use for authentication with the IIS computer. When you select a client certificate, you may be denied access and the following error message may occur:
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the IIS computer.
If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to "Trust Only Enterprise Root Stores."
If you do not have a client certificate that was created by a CA trusted by the IIS computer, you can either request a new client certificate from a Certificate Authority that is trusted by the IIS computer or have an administrator configure the IIS computer to trust the CA that created your client certificate.
If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to "Trust Only Enterprise Root Stores." If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.
To work around this issue, remove the Group Policy Trust only Enterprise Root stores option for the domain. To do this, perform the following steps:
Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.
Article ID: 252657 - Last Review: January 24, 2012 - Revision: 2.0