DetailPage-MSS-KB

Knowledge Base

Article ID: 186812 - Last Review: July 3, 2014 - Revision: 5.0

This article describes the HTTP 403.7 error message. If you are an end-user who has encountered this error, we recommend that you ask the site administrator for instructions on how to obtain the correct client certificate.

On This Page

Symptoms

You have a website that is hosted on Internet Information Services (IIS). When you go to the website in a web browser, you may receive an error message that resembles the following:

HTTP Error 403
403.7 Forbidden: Client certificate required

Cause

This error occurs when the website requests a client certificate, and then the client either does not provide one or the certificate supplied by the client browser is rejected. Client certificates are a kind of Secure Sockets Layer (SSL) certificate typically used to identify a user or computer to a website. 

The following are several possible causes of this problem:
  • The root certificate (certification authority certificate) of the client certificate is not installed on the computer that is running IIS.
  • The client certificate has expired, or the effective time has not been reached.
  • The client certificate was revoked.
  • No valid client certificate is available, or a potentially valid client certificate does not have an associated private key installed.

Resolution

For end-users

Depending on the cause of your problem, try one of the following resolutions:
  • If you do not have a client certificate for the site, and you need one, contact the site administrator for instructions.
  • Make sure that the expiration date and time of the certificate has arrived. If your certificate has expired, contact the site administrator for instructions.

For site administrators

Note Client certificate authentication may be enabled where it is not required. If you intended only to require TLS/SSL communications, then you need only a server certificate. You can disable client certificate authentication by using the resolution in the following Microsoft Knowledge Base article:
KB942067  (http://support.microsoft.com/kb/942067/ ) Error message when you try to run a Web application that is hosted on a server that is running IIS 7.0: "HTTP Error 403.7 - Forbidden"

To check whether the server running IIS considers the certificate valid, you can follow these steps:
  1. Export the certificate to a .CER file.
  2. Copy the .CER file to the server that is running IIS.
  3. Open the .CER file on the server that is running IIS.
  4. Look at the Certification Path tab. If all certificates in the chain are displayed without a red "cross," then the certificate chain is trusted by the computer. If the root certification authority has a red cross against it, continue to the next set of steps.

To resolve this issue, install the root certification authority certificate manually. To do this, follow these steps:
  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, select Certificates under Available Snap-ins, and then click Add.
  4. In the Certificates snap-in, select Computer account, click Finish twice, and then click OK.
  5. Under Console Root, expand Certificates (Local Computer).
  6. Expand Trusted Root Certification Authorities, and then right-click Certificates.
  7. Select All Tasks, and then click Import….
  8. Click Next, and then navigate to the location where the Root CA certificate file is stored.
  9. After the certificate has been selected, click Next two times, and then click Finish.

Note Intermediate CA certificates should be installed in the Intermediate Certification Authorities store rather than in the Trusted Roots store. Any certification authority certificate whose Issued by and Issued to values are not the same (and therefore the certificate is not at the top of the hierarchy) is known as an "Intermediate CA."

References

  • KB931125  (http://support.microsoft.com/kb/931125/ ) How to get a Root Certificate update for Windows
  • KB332077  (http://support.microsoft.com/kb/332077/ ) IIS 6.0: Computer must trust all certification authorities trusted by individual sites
  • KB2802568  (http://support.microsoft.com/kb/2802568/ ) Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors
  • KB293781  (http://support.microsoft.com/kb/293781/ ) Trusted root certificates that are required by Windows Server 2008 R2, by Windows 7, by Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows XP, and by Windows 2000

Applies to
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
Keywords: 
kbprb kbprod2web kbconsumer kbquadranttechsupp KB186812
Delen
Extra ondersteuningsopties
Microsoft Community Support-forums
Neem rechtstreeks contact met ons op
Een door Microsoft gecertificeerde partner zoeken
Microsoft Store