When setting up client cert auth for ERPM web app and you encounter the 403.16 error in IE.
This error is interesting especially when the cert is valid and from a trusted CA authority AND is in the local store of the ERPM web server.
HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid
This can happen when you have chained approval modes. Reference the behavior and article here. http://stackoverflow.com/questions/27232340/iis-8-5-mutual-certificates-authentication-fails-with-error-403-16
Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD “ClientAuthTrustMode” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel.
If this circumstance applies then set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2
0 Machine Trust (default) Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
1 Exclusive Root Trust Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list
2 Exclusive CA Trust Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store. For information about authentication failures due to trusted issuers configuration issues, see Knowledge Base article 280256
After this change, update the web application files in ERPM and restart the server.