You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0 (884115)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0, when used with:
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Web Edition

SYMPTOMS

When you connect to a computer that is running Microsoft Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0, you may receive the following error message after you select a certificate:
403.13 Client Certificate Revoked

CAUSE

You may receive this error message if mutual authentication is enabled.

This problem occurs because of a certificate revocation list (CRL) retrieval timeout. Windows Server 2003 introduces new Microsoft Cryptography API (CAPI) behavior regarding network timeouts. This change was first made to address the problem of long delays that occur because of CAPI blocking during CRL retrievals when the target URL is inaccessible.

In Windows Server 2003, the default timeout is set to 15 seconds. Windows Server 2003 includes a feature that retries the download on a background thread with a default timeout of 60 seconds. CRLs that reside on a Lightweight Directory Access Protocol (LDAP) URL may be particularly affected because of reduced throughput.

WORKAROUND

To work around this problem, manually download the CRL, and then install it to the local computer certificate store.

Note Because the CRL is valid only for a limited time, you must retrieve a new CRL periodically.

To install a CRL to the local computer certificate store, follow these steps:
  1. Log on to the computer as a member of the local administrators group.
  2. Open the Certificates snap-in for the Computer account. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
    3. On the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.
    4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
    5. Click Computer account, and then click Next.
    6. Click Local computer, and then click Finish.
    7. Click Close, and then click OK.
  3. Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.
  4. Follow instructions in the wizard to complete the installation.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Windows Server 2003 Service Pack 1 (SP1) is scheduled to include configurable timeout settings that are similar to those that are documented in the following article in the Microsoft Knowledge Base:

841632 You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

841641 IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings

841642 Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

Modification Type:MajorLast Reviewed:10/13/2004
Keywords:kbtshoot kberrmsg KB884115 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.