When you connect to a computer that is running Microsoft Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0, you may receive the following error message after you select a certificate:
403.13 Client Certificate Revoked
You may receive this error message if mutual authentication is enabled.
This problem occurs because of a certificate revocation list (CRL) retrieval timeout. Windows Server 2003 introduces new Microsoft Cryptography API (CAPI) behavior regarding network timeouts. This change was first made to address the problem of long delays that occur because of CAPI blocking during CRL retrievals when the target URL is inaccessible.
In Windows Server 2003, the default timeout is set to 15 seconds. Windows Server 2003 includes a feature that retries the download on a background thread with a default timeout of 60 seconds. CRLs that reside on a Lightweight Directory Access Protocol (LDAP) URL may be particularly affected because of reduced throughput.
To work around this problem, manually download the CRL, and then install it to the local computer certificate store.
Because the CRL is valid only for a limited time, you must retrieve a new CRL periodically.
To install a CRL to the local computer certificate store, follow these steps:
- Log on to the computer as a member of the local administrators group.
- Open the Certificates snap-in for the Computer account. To do this, follow these steps:
- Click Start, click Run, type mmc, and then click OK.
- On File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
- On the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.
- In the Available Standalone Snap-ins list, click Certificates, and then click Add.
- Click Computer account, and then click Next.
- Click Local computer, and then click Finish.
- Click Close, and then click OK.
- Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.
- Follow instructions in the wizard to complete the installation.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Windows Server 2003 Service Pack 1 (SP1) is scheduled to include configurable timeout settings that are similar to those that are documented in the following article in the Microsoft Knowledge Base:
You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings
Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer