Client receives 403.16 error when IIS cannot process a complete certificate chain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

When IIS receives an incoming Secure Sockets Layer (SSL) request from a client, it attempts to build its certificate chain before sending its certificate information back to the client. Beginning with IIS 6.0, IIS does not automatically download intermediate certificates by default, which was the behavior in previous versions of IIS. Instead, IIS 6.0 fails the Certificate Revocation List (CRL) check for the certificate because it cannot find the HTTP location for the CRL Distribution Point (CDP). The user then sees an HTTP 403.16 error message.

To rectify this error, add the certificate to the Intermediate Certification Authorities folder on the local computer.

To add an intermediate certificate to Intermediate Certification Authorities

1. Download the intermediate certificate to the desktop of the computer where you want to install the certificate.

2. Right-click the certificate, click Install Certificate to open the Certificate Import wizard, and then click Next.

3. On the File to Import page, click Next.

4. On the Password page, type a password, if available, in the Password field, and then click Next.

5. On the Certificate Store page, click Place all certificates in the following store and then click Browse.

6. On the Select Certificate Store dialog box, check Show physical stores.

7. Expand the Intermediate Certification Authorities folder, select the Local Computer folder, and then click OK.

8. Click Next and then click Finish.