403 - Forbidden: Access is denied

Question

Hi, I have an IIS web site was working fine for years. All of a sudden, 1 week back, I tried to browse it and started to get

What is strange is that when I open a session on the server itself, it works fine. IIS_USR and IUSR have Read&Execute privileges on the inetpub and subdirectories, even I enabled "browsing Directorie" to check but it did not help.

In the log I see

2022-10-24 14:52:24 192.168.1.30 GET /favicon.ico - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 https://mysite.hd.free.fr/sierac 403 16 2148204809 53
2022-10-24 14:58:01 192.168.1.30 GET /sierac - 443 - 82.65.38.149 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/106.0.0.0+Safari/537.36+Edg/106.0.1370.47 - 403 16 2148204809 34

Here are some text from older los where it was working fine

2022-06-29 19:04:57 192.168.1.30 GET /sierac - 443 - 194.38.20.161 ALittle+Client - 301 0 0 1766
2022-06-29 19:05:29 192.168.1.30 GET /sierac/ - 443 - 194.38.20.161 ALittle+Client - 200 0 0 752

Here is the config of the machine

Answer 1

Hi @Salam ELIAS ,

I try to check the logs and found that it is showing the 403.16 error code.

Based on my research and official docs, it looks like the issue could be related to the certificates.

Have you made any changes in certificates recently?

Below are some possible causes that could generate 403.16 error.

1. Root certificate isn't in Trusted Root Certification Authorities Certificate store
2. Non-self-signed certificates are in Trusted Root Certification Authorities Certificate store

Resolution for cause 1

• On the IIS Web server, select Start, type mmc.exe in the Start Search box, right-click mmc.exe, and then select Run as administrator.
• On the File menu, select Add/Remove Snap-in.
• Under Available snap-ins, select Certificates, and then select Add.
• Select Computer account, and then select Next.
• Select Local computer, select Finish, and then select Close.
• To exit the wizard, select OK.
• Expand Certificates, expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then select Import.
• In the Certificate Import Wizard, select Next.
• In the File name box, type the location of the root certificate of the certification authority, and then select Next.
• Select Next, and then select Finish.

Resolution for cause 2

Move any non-self-signed certificated out of the Trusted Root Certification Authorities Certificate store and into the Intermediate Certification Authorities Certificate store.

For more information, please refer to HTTP Error 403.16 when you try to access a website that's hosted on IIS

Further, you could try to enable detailed errors. Select your site-> Error pages-> Edit feature settings-> Select Detailed errors and click OK. It will show you more information about this error.

Best Regards,
Deepak

----------

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Thanks Deepak, the root CA is in Trusted area as you can notice in the following snapshot

So I am a little bit confused, it seems that everything is in place. Also, I forgot to mention that when I browse from any other machine I get a dialogbox which invites the user to chose a certificate but the right one isnt in the dialogbox

Answer 3

I have just tried to access the web site and here is the prompt I get where I see some certificates but not the one linked to the server

Answer 4

I activated detailed error which is surprising me as in the browser on the IIS server it shows that certoificate is Ok

Answer 5

Hi @Salam ELIAS ;

I would like to know whether only this site has an issue or other sites are also showing the 403.16 error?

Please check the suggestions below, one by one.

1) To check and confirm whether there are any non self sign certificates are there in the Trusted Root Certification Authorities, could you please run the command below in PowerShell? It will create the notepad file and list the certificate in it. If you find any then move it from this location.

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$.Issuer -ne $.Subject} | Format-List * | Out-File "FilePath\File_Name.txt"

2) For testing purposes, Launch the Registry Editor. Browse to the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL Create a DWORD entry with the name ClientAuthTrustMode and set its value as 2. Which means that The server will not check the revocation of the certificate from the Trusted Root Authority.

After setting this registry, restart the IIS. try to check for the issue and see whether it makes any difference. If the issue persists then remove the DWORD entry.

3) For testing purposes, Launch the Registry Editor. Browse to the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL Create a DWORD entry with the name SendTrustedIssuerList and set its value as 1.

After setting this registry, restart the IIS. try to check for the issue and see whether it makes any difference. If the issue persists then remove the DWORD entry.

Let me know your test results.

Helpful Reference: IIS may reject client certificate requests with HTTP 403.7 or 403.16 errors

Best Regards,
Deepak