This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.
Browsers show 4xx errors when there is a client side issue while browsing a website. 403 error specifically translates to “Forbidden“. Check Failed Request Logs and IIS logs to get more details about the issue. If you see 16 as a sub-status code, it means the underlying reason is that “Client certificate is untrusted or invalid” (Reference).
Solution
In the case I worked on, the issue was the missing root certificate in IIS server. We solved the issue by adding the certificate following the steps below.
- In IIS server, click Start, type “mmc.exe“
- Right-click on mmc.exe. Select “Run as administrator“
- Go to “File > Add/Remove Snap-in“
- From “Available snap-ins” list, click “Certificates“. Then click “Add“
- Select “Computer account”. Click “Next”
- Click “Local computer“. Click “Finish”, “Close”, and “OK” in the given order
- Go to “Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import“
- On the “Certificate Import Wizard” window, click “Next”
- Type the location of the certification authority’s root certificate. Click “Next”
- Click “Next” and “Finish”
Another root cause of the 403.16 issue might be the usage of non-self-signed certificates in “Trusted Root Certification Authorities” container: Reference 1, Reference 2