"HTTP Error 403.16 - Forbidden" when you try to access a website that's hosted on IIS 7.0


Symptoms


You have a website that's hosted on Internet Information Services (IIS) 7.0. When you try to access the site through a web browser, you receive an error message that resembles one of the following:
Server Error in Application "application name"
HTTP Error 403.16 - Forbidden
HRESULT: 0x800b0109
Description of HRESULT
Your client certificate is either not trusted or is invalid.
HTTP 403.16 Client certificate is untrusted or invalid.Smart Card Users Cannot Authenticate.403 Forbidden

Cause


Cause 1

This problem occurs because the root certificate of the certification authority is not in the Trusted Root Certification Authorities certificate store on the IIS Web server.

Note The root certificate of the certification authority is used to issue the client certificate.

Cause 2

There are one or more non–self-signed certificates in the Trusted Root Certification Authorities certificate store. A non–self-signed certificate is any certificate for which the "Issued To" and "Issued By" values are not an exact match.

Resolution


Resolution for Cause 1

  1. On the IIS Web server, click Start, type mmc.exe in the Start Search box, right-click mmc.exe, and then click Run as administrator.

    Note If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.
  2. On the File menu, click Add/Remove Snap-in.
  3. Under Available snap-ins, click Certificates, and then click Add.
  4. Click Computer account, and then click Next.
  5. Click Local computer, click Finish, and then click Close.
  6. To exit the wizard, click OK.
  7. Expand Certificates, expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.
  8. In the Certificate Import Wizard, click Next.
  9. In the File name box, type the location of the root certificate of the certification authority, and then click Next.
  10. Click Next, and then click Finish.

Resolution for Cause 2

Move any non–self-signed certificated out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.

More Information


To identify all non–self-signed certificates in the Trusted Root Certification Authorities certificate store, run the following PowerShell command:

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"