![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 82%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 62%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Hi Saleh Kheradmand,
When you enable “Require” under SSL Settings > Client Certificates, IIS expects the browser to present a valid client certificate during the HTTPS handshake. If the certificate is missing, not trusted by the server, or doesn’t match what IIS expects, you’ll get a 403 error — usually 403.7 (client certificate required) or 403.16 (certificate is untrusted).
Since your client isn’t joined to a domain or workgroup, IIS won’t be able to map the certificate to a Windows account automatically — so we’ll need to handle that manually.
Here’s what I recommend checking:
1. Make sure the server trusts the client certificate
- On the IIS server, run
mmc.exe(press Win + R, typemmc, hit Enter). - Go to
File > Add/Remove Snap-in > Certificates > Local Computer. - Import the
CA certificate(the one that issued the client cert) intoTrusted Root Certification AuthoritiesorIntermediate Certification Authorities.
2. Configure SSL settings in IIS
- In IIS Manager, go to your site >
SSL Settings. - Check Require SSL and set
Client CertificatestoRequire.
3. Disable Anonymous Authentication
- Go to
Authenticationfor your site in IIS. - Disable
Anonymous Authentication. - If you're not using domain accounts, you can skip enabling Windows Authentication — instead, you’ll need to use certificate mapping.
4. Set up certificate mapping (optional but important)
- If you want to allow only specific certificates, you can configure One-to-One Certificate Mapping in IIS.
- This lets you map a specific client certificate to a local Windows account (even if the client isn’t on a domain).
- Guide: Configure One-to-One Certificate Mapping in IIS
5. Test in Chrome
- Chrome should prompt the user to select a certificate when visiting the site.
- If it doesn’t, make sure the certificate is installed in the
Personal store(you can check by runningcertmgr.mscon the client). - Also, try accessing the site using the hostname (not IP address), as Chrome may skip certificate prompts for IPs.
For more helpful documents:
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/
- https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/clientcertificatemappingauthentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)