![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 92%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,779 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
A 403 error generally means that the server understood the request but refused to authorize it. Given the setup you describe, there may be a few different issues at play. Here are some steps you can take to diagnose and potentially resolve the issue:
- Review physical path permissions:
Make sure the 'C:\Windows\System32\CertSrv' folder and all its subfolders and files have read access for 'IUSR' and the application pool identity (e.g. 'ApplicationPoolIdentity').
- Verify site-level authentication settings in IIS:
Make sure that in the authentication settings for the 'certsrv' site, 'Anonymous Authentication' is enabled and other authentication methods such as 'Active Directory Client Certificate Authentication' are disabled.
- Application Pool Settings:
In IIS, make sure the application pool is set to use the 'ApplicationPoolIdentity' identity. Under 'Application Pools', select the relevant application pool, click 'Advanced Settings', and make sure the 'Identity' field is 'ApplicationPoolIdentity'.
- Check IIS logs: Logs are usually in the path 'C:\inetpub\logs\LogFiles', look for the log entry corresponding to the 403 error to get more information about the error.
- Local Security Policy: Open the 'Local Security Policy' manager ('secpol.msc'), in 'Local Policies > User Rights Assignment', make sure 'IUSR' and 'ApplicationPoolIdentity' have the permissions 'Access this computer from the network' and 'Log on locally'.
- IIS Role Services: Make sure all necessary IIS role services are installed and configured correctly, especially those that the Web Enrollment service depends on.
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.