Troubleshooting: Error 403.13 (Forbidden: Client certificate has been revoked on the Web server)

If the client certificate is issued from a certificate authority that you cannot connect to, you can use a tool called Adsutil to bypass the check. However, if you bypass the check, you will never receive any certificate revocation lists from that certificate authority. This means that you will always trust all certificates from this certificate authority.

Since the domains might not trust each other or might not be reachable, you must override the Certificate Revocation List.

Do the following on each front-end Web server:

1. Open a command prompt.
2. Navigate to \Inetpub\AdminScripts on the operating system directory.
3. Type "cscript adsutil.vbs set w3svc/virtual_server_identifier/CertCheckMode 1"

D:\Inetpub\AdminScripts>cscript adsutil.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Usage:
ADSUTIL.VBS [ []]

Description:
IIS administration utility that enables the configuration of metabase properties


Supported Commands:
GET, SET, ENUM, DELETE, CREATE, COPY,
APPCREATEINPROC, APPCREATEOUTPROC, APPCREATEPOOLPROC, APPDELETE, APPUNLOAD, AP
PGETSTATUS

Samples:
adsutil.vbs GET W3SVC/1/ServerBindings
adsutil.vbs SET W3SVC/1/ServerBindings ":81:"
adsutil.vbs CREATE W3SVC/1/Root/MyVdir "IIsWebVirtualDir"
adsutil.vbs START_SERVER W3SVC/1
adsutil.vbs ENUM /P W3SVC

For Extended Help type:
adsutil.vbs HELP


To find the virtual_server_identifier, do the following:

1. Open Internet Information Services (IIS) Manager.
2. On the Internet Information Services management console, expand the tree view.
3. Click Web Sites.
4. In the details pane, the virtual_server_identifier is listed in the Identifier column for the virtual server. For example, the identifier for Default Web site is 1.

Another one common problem:

Error 403.16 (Forbidden: Client certificate is ill-formed or is not trusted by the Web server)
Solution:

If you attempt to use a certificate that has multiple levels of certificate authorities, you might need to install one or more certificate authorities in the intermediate certificate authority store for your server. To do this, use the SSL Diagnostic Utility Download for IIS (described in the next section) to diagnose the missing certificate authority in the chain. Installing the missing certificate authority should correct the problem. See your certificate administrator for more information about how the certificates for your organization are configured.