Could not sign CSR Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden (ZDM-certsrv/1.0 - 403 16)

Could not sign CSR Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden (ZDM-certsrv/1.0 - 403 16)

book

Article ID: CTX218994

calendar_today

Updated On:

Description

XenMobile Client Certificate request responded with a HTTP Response 403 16 Forbidden by the issuing server

IIS Log:
2016-10-11 14:42:18 10.1.1.51 POST /certsrv/certfnsh.asp - 443 - 192.168.100.100 ZDM-certsrv/1.0 - 403 16 2148204809 31

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

If you see a 403 Forbidden within the IIS Logs and a 403 16 Forbidden, add the following key to the issuing server registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name:
ClientAuthTrustMode Value type: REG_DWORD Value data: 2

Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD “ClientAuthTrustMode” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel.
 

Value

Trust Mode

Description

0

Machine Trust (default)

Requires that the client certificate is issued by a certificate in the Trusted Issuers list.

1

Exclusive Root Trust

Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list

2

Exclusive CA Trust

Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.

Problem Cause

If IIS is not configured to use a CTL, SSL client certificate authentication will fail with the 403.16 error condition. This error occurs because SChannel.dll wrongly considers the client certificate to be untrusted. (NOTE: Having no CTL in use is the default configuration of IIS 8.0. This is configured by having no SendTrustedIssuerList present or by setting SendTrustedIssuerList=0).

In this scenario, the IIS log typically shows a value of 2148204809 in the sc-win32-status field. This translates to error code 0x800b0109, which is defined as CERT_E_UNTRUSTEDROOT.

Issue/Introduction

XenMobile Client Certificate request responded with a HTTP Response 403 16 Forbidden by the issuing server. The 16 in the error code represents a specific issue and is not visible through the XenMobile Logs. Instead you can view the specific 403 forbidden through the issuing server IIS Logs

Additional Information

Could not sign CSR Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 403 Forbidden
https://support.citrix.com/article/CTX218425

Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors
https://support.microsoft.com/en-gb/kb/2802568

What's New in TLS/SSL (Schannel SSP)
https://technet.microsoft.com/en-us/library/hh831771.aspx?f=255&MSPPError=-2147217396

 
Powered by Wolken Software