1. Check iis logs. It should have http sub state and win32 error code. In my case this was 16 (so full http code was 403.16) and 2148204809 (and sometimes 2148204801)
2. Error 2148204809 translate root certificate or some in chain is invalid
3. Checking the root certificate, it was found to be valid
4. The following command was run in the PowerShell to see if there was any invalid root certificates
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\computer_filtered.txt"
It turns out we had a Godaddy Certificate that got revoked recently in the system. Removing this solved the issue. It was very strange why an unrelated certificate revocation can cause auth issues for a site that do not even use that certificate.
Note:
Just in case the above is not working, you can try below as a test. Its not clear leaving these on is recommended or not
Open registry and navigate to below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Add two 32 bit DWORD keys and set values as below
- SendTrustedIssuerList = 0 (stop sending list of trusted root certification authorities during the TLS/SSL handshake process)
- ClientAuthTrustMode = 2 (Set trust mode to
Exclusive CA Trust, requires that a client certificate chain to either
an intermediate CA certificate or root certificate in the
caller-specified trusted issuer store.)
Note 2:
Not related to above, but most of the time certificate based auth fail due to access issues to certificate private keys. Check to make sure the client has access to private keys of the certificate (and same in iis, where the iis app pool user has access to private keys used in certificate)
