IIS 8.5 certificate chain error results in 403.16 error
Posted on 2014-08-06
In IIS I am requiring certificates for a directory that authorized users will access with their smartcard that has both an ID and Email/Signing certs. Many-to-one certificate mapping has been set up and one rule enabled to match the cert subject OU field which is consistent across all certificates.
In a browser, I go to the site and click into the directory. I get asked which certificate to use as ActivClient makes them available to Windows. I select one of them (both should work) and then enter and submit my PIN so the smartcard's private key can be accessed to complete the request. The server response is 403.16. Looking at the failed request trace:
ModuleName IIS Web Core
ErrorCode A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800b0109)
Opening up the mmc certificate snap-in shows that the local computer certificate store has the certificates installed where expected. The CA Root certificate is in the (local machine)/Trust Root Certification Authorities and the intermediate CA certificates (corresponding to the ID and Signing certs) are installed to (local machine)/Intermediate Trusted Root Certification Authorities.
I also ran SSLDiag.exe which reported "Certificate verified." for the SSL certificate. This comes from Network Solutions and has its own root and intermediate certs installed to the same (local machine) trusted and intermediate cert locations. Other SSL enabled pages display fine so no problem there.
How can I trace this further to find what the underlying problem is? Or believing in the error message, how do I tell the trust provider that the Root CA should be trusted?