When you connect to a secure (HTTPS) Web site, you may be presented with a "Client Authentication" dialog box, prompting you to select a client certificate to use for authentication with the IIS computer. When you select a client certificate, you may be denied access and the following error message may occur:
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
This error can occur if you choose a client certificate created by a Certificate Authority (CA) that is not trusted by the IIS computer.
If the client certificate was created by a CA that is trusted by the IIS computer, then it is possible this error is caused by a known issue with Windows 2000 when it is configured to "Trust Only Enterprise Root Stores."
If you do not have a client certificate that was created by a CA trusted by the IIS computer, you can either request a new client certificate from a Certificate Authority that is trusted by the IIS computer or have an administrator configure the IIS computer to trust the CA that created your client certificate.
If you do have a client certificate that was created by a CA trusted by the IIS computer, then it is possible that your Windows 2000 domain has been configured with a group policy that forces the IIS computer to "Trust Only Enterprise Root Stores." If this policy is in enabled, the authentication will still fail, even if the CA is a Trusted Root Store.
To work around this issue, remove the Group Policy Trust only Enterprise Root stores
option for the domain. To do this, perform the following steps:
- Start the Default Domain Policy Group Policy Editor.
- Select Computer Settings, choose Computer Configuration, and then select Windows Settings.
- Choose Security Settings, select Public Key Policies and then choose Trusted Root Certification Authorities.
- Right-click Trusted Root CA node, and then select Properties.
- Disable the Trust only Enterprise Root stores option.
Microsoft has confirmed that this is a problem in Microsoft Internet Information Services version 5.0.