IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked (294305)
The information in this article applies to:
- Microsoft Internet Information Services version 6.0
- Microsoft Internet Information Services 5.0
This article was previously published under Q294305 SYMPTOMS
When you browse to a Web site that is set to require client certificates, you may receive the following HTTP error message even if you are sure that the client certificate has not been revoked:
403.13 Client Certificate Revoked
CAUSE
By default, Internet Information Services (IIS) checks to see if the client certificate that is being presented has been revoked. It does this by downloading the client certificate's Certificate Revocation List (CRL) from a Certificate Distribution Point (CDP) that is listed as part of the client certificate. If IIS is unable to download at least one of the CRLs of the client certificate, the HTTP error message is displayed in the client's browser.
RESOLUTION
For each certificate in the chain that has a CDP listed, ensure that IIS is able to download at least one CRL. This usually involves adjusting firewall, proxy, or Domain Name Server (DNS) settings to admit the necessary traffic; depending on the protocol, this can be Hypertext Transfer Protocol (HTTP) or remote procedure call (RPC). Note that the Web server must be able to resolve the CRL even if the client browser can resolve the CRL because the Web server is servicing the HTTP request that requires the client certificate.
To avoid the HTTP 403.13 error message, do one of the following:
- Enable IIS to download the CRL. To do this, follow these steps:
- Delete any duplicate client certificates (that is, client certificates that are issued from the same Certificate Authority) from the client browser.
- Start with the client certificate and proceed up the certification path. Paste each certificate's CDP HTTP reference in the browser on the server. If the file fails to download, there is a problem with the CDP.NOTE: Double-click each certificate in the certification path to view its properties.
- Use the PING, Tracert.exe, or Wfetch.exe utilities to identify any name resolution or network latency issues that arise when you contact the problem CDP.
- Find the IP address of the problem CDP and add an entry to the HOSTS file on the IIS computer. This should enable IIS to download the CRL and resolve the error.
- Repeat these steps for each certificate in the client certificate's certification path.
- If a proxy computer is involved, change the account that is used to start IIS to a domain administrator account and restart the IIS Admin service. If this resolves the issue, the local system account, or the account that is regularly used to start IIS, does not have sufficient permissions on the proxy server to access the Internet.
Modification Type: | Major | Last Reviewed: | 9/18/2006 |
---|
Keywords: | kbpending kbprb KB294305 |
---|
|