'MTLS certificate is rejected with 403.16

I am integrating with a 3rd party and that 3rd party presents a client side certificate when connecting using MTLS.

The certificate they are using was generated by a CSR from the 3rd party to us. It was actioned against one of our CAs and returned to the 3rd party. One of our admins actioned the CSR and has provided me with the public key of that cert, along with the public key for the CA.

The public key of the CA has been added to the machine certificate store Trusted Root Certification Authorities and per guidance from a docs page for troubleshooting 403.16 the public key from the CSR has been added to the Intermediate Certification Authorities store.

IIS has been configured using the Configuration Editor at the path system.webServer/security/authentication/iisClientCertificateMappingAuthentication via manyToOneMappings to assign the user a Windows account based on the certificate that is presented. The certificate is configured to match against the common name (CN) and is configured correctly: enter image description here

When the 3rd party connects, the IIS log shows a 403.16 error.

I am confident this is correctly configured. I have generated my own certs using makecert.exe and proved that this works.

The CAPI2 log shows the following error messages, in order from first to last received:

  1. The specified network resource or device is no longer available.
  2. The revocation function was unable to check revocation because the revocation server was offline.
  3. The certificate is not valid for the requested usage.

I expect that #1 is a result from attempting to check for revocation.

Some questions:

  1. Would failing to check revocation cause a 403.16?
  2. The certificate generated from the CSR indicates it's purpose as "Server Authentication". Is "Client Authentication" a required purpose in order for MTLS to work?

Thanks in advance.

iisclient-certificatesmtls


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

The server response was: 5.7.0 Must issue a STARTTLS command first. i16sm1806350pag.18 - gsmtp

What is "AppOffline" which prevents my bot application from getting published to the IIS web server?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Chrome WebDriver does not open when called from IIS

"There was an error while performing this operation"

Cannot establish connection to SQL Server

Is there a way to produce an alert when an IIS site goes down using Prometheus?

HTTP error 403.16 - client certificate trust issue

CSS, Images, JS not loading in IIS

Can't open web project because IIS Express is not installed (even though it is)

IIS font not applying

Testing web API service

WEBAPI not working when i add server ip address instead of name?

How to attach to IIS process (w3wp.exe) on Windows 10/IIS 10?