000036908 - Archer HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid error when attempting to access the RSA Archer site

Document created by RSA Customer Support Employee on Nov 5, 2018Last modified by RSA Customer Support Employee on Oct 8, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036908
Applies ToRSA Product Set: Archer
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition:, 6.x
Platform: Windows
Product Name: RSA-0012000
Product Description: Archer Platform
IssueWhen attempting to access the Archer site, the following error is returned to the user via the browser:
HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid
CauseMicrosoft IIS has been configured to process client certificates and the client's certificates are getting rejected by the Microsoft IIS server.
ResolutionWhen client certificates are enabled, the client certificates that have been pushed out through Group Policy to the Archer end-users must be accepted by the Microsoft IIS Servers running RSA Archer or this error will occur.  

Work with the Group Policy Administrator and Domain Administrator for the network to confirm the below:
  • Client Certificates for end users are not expired or invalid.
  • Microsoft IIS web servers are on the correct domain.
  • Current Client Certificates that are in use for end users are accepted by the Microsoft IIS Servers hosting Archer.
WorkaroundArcher does not require Client Certificates and Microsoft IIS is configured out of the box to ignore Client Certificates.

As such, you can return Microsoft IIS to the out of the box default by Disabling Client Certificates in Microsoft IIS for Archer:
  1. IIS Default Web Site -> SSL Settings -> Set Client Certificate to Ignore 
  2. Archer Site -> SSL Settings -> Unchecked Require SSL 
  3. Archer Site -> SSL Settings -> Set client certificate to ignore 
  4. Perform iisreset command in an Administrator command prompt
  5. Repeat steps 1-4 for all web servers.