https ssl iis 403 error

i am getting below error when i try to access https website hosted on iis ( did all required configurations )
website configured to use "many to one certificate mapping enabled"
on iis -->website--> SSL settings-->Require ssl --> Ignore/accept ---> it works fine.
but when i do if i iis -->website--> SSL settings-->Require ssl -->Require ---> getting 403 error.
( though i am sending valid client certificate )
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Often the file system permissions can be correct, but IIS still won't allow users through if the authentication settings are wrong. The client certificate must be installed under a personal account, not local machine, and it should be in Personal Store, not Trusted people store.
The problem was that the CA cert that I used to sign the client certs was installed in the “Current User” Trusted Root Certificates store on the server running IIS. It needs to be installed in the “Local Computer” Trusted Root Certificates store since IIS runs as a local service account, not the current user. Unless it is installed in the “Local Computer” store, IIS will not be able to validate the client certificates and will throw back a 403 error.

Use the MMC Certificates Snap-In “Import” function to manually install the CA cert in the “Local Machine” Trusted Root Certificates store. Just double-clicking on the CA cert in Explorer will install it in the “Current User” Trusted Root Certificates store by default, leading to the 403 issue.

On the client machines, installing the CA cert in the “Current User” store is fine, since the browser runs as the “Current User” and thus has access to this store. It’s just the computer running IIS that needs the CA cert installed in the “Local Machine” store.
arnoldConnect With a Mentor Commented:
Require client certificate means you actually have to import the public certificate to which the user provided certificate will be compared.

I.e. You tell a guard to check all persons wanting to enter requiring they present an ID.
As you did with iis, you update the instruction to only allow certain people.
Shortly you get a call from Jane who was denied access.
Reason, you did not provide a list to the guard with the new requirements identifying who is permitted to enter obce identified.

To clarify do you have an internal CA that issues the fluent certs to those who would be accessing the site?
btanExec ConsultantCommented:
For author advice.
btanExec ConsultantCommented:
For consideration since no further inputs.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.