Tuesday, April 29, 2014

IIS: 403 Forbidden, 403.7 Client Certificate Required errors

Problem Statement:

Getting error : 403 Forbidden  or 403.7 Client Certificate Required kind of error while access a service which requires SSL certificate.


1. Web service exposed from IIS with "https" and SSL settings
     "Require SSL" and "Client Certificate: Require".
2. While client try to send message to service (even if all the certificates are properly installed         and       configured) gets either "403 Forbidden, 403.7 Client Certificate Required " 

Root Cause :

During the handshake protocol for client certificate authorization, the server sends a list of Trusted Root Certification Authorities to the client.  The client will in this case only provide Client Certificates, issued by one of these Trusted Root Certification Authorities. 

It seems that IIS (where service is hosted) is configured to use a CTL (Certificate Trust List ) with SendTrustedIssuerList=0 so not sending a list and some clients configured if server doesn't send the list client doesn't send its client certificate with the message.

due to this reason client/service can see either "403 Forbidden, 403.7 Client Certificate Required " errors  


This can be done by adding this registry entry on the web server:

        Value name: SendTrustedIssuerList
        Value type: REG_DWORD
        Value data: 1 (True)