403.16 error: “Client certificate is untrusted or invalid”

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

Browsers show 4xx errors when there is a client side issue while browsing a  website. 403 error specifically translates to “Forbidden“. Check  Failed Request Logs and IIS logs to get more details about the issue. If you see 16 as a sub-status code, it means the underlying reason is that “Client certificate is untrusted or invalid” (Reference).


In the case I worked on, the issue was the missing root certificate in IIS server. We solved the issue by adding the certificate following the steps below.

  • In IIS server, click Start, type “mmc.exe
  • Right-click on mmc.exe. Select “Run as administrator
  • Go to “File > Add/Remove Snap-in
  • From “Available snap-ins” list, click “Certificates“. Then click “Add
  • Select “Computer account”. Click “Next”
  • Click “Local computer“. Click “Finish”, “Close”, and “OK” in the given order
  • Go to “Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import
  • On the “Certificate Import Wizard” window, click “Next”
  • Type the location of the certification authority’s root certificate. Click “Next”
  • Click “Next” and “Finish”


Another root cause of the 403.16 issue might be the usage of non-self-signed certificates in “Trusted Root Certification Authorities” container: Reference 1, Reference 2

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.