403.16 error: “Client certificate is untrusted or invalid”

Browsers show 4xx errors when there is a client side issue while browsing a  website. 403 error specifically translates to “Forbidden“. Check  Failed Request Logs and IIS logs to get more details about the issue. If you see 16 as a sub-status code, it means the underlying reason is that “Client certificate is untrusted or invalid” (Reference).

Solution

In the case I worked on, the issue was the missing root certificate in IIS server. We solved the issue by adding the certificate following the steps below.

• In IIS server, click Start, type “mmc.exe“
• Right-click on mmc.exe. Select “Run as administrator“
• Go to “File > Add/Remove Snap-in“
• From “Available snap-ins” list, click “Certificates“. Then click “Add“
• Select “Computer account”. Click “Next”
• Click “Local computer“. Click “Finish”, “Close”, and “OK” in the given order
• Go to “Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import“
• On the “Certificate Import Wizard” window, click “Next”
• Type the location of the certification authority’s root certificate. Click “Next”
• Click “Next” and “Finish”

Another root cause of the 403.16 issue might be the usage of non-self-signed certificates in “Trusted Root Certification Authorities” container: Reference 1, Reference 2