A browser displays 4xx error when there is a client side issue while accessing a website. Specifically, 403 error translates into “Forbidden“. If you dive deep in the issue (Failed Request Logs or IIS logs), you may see 16 as a sub-status code which refers to “Client certificate is untrusted or invalid” (Reference).
You will find out about how to solve 403.16 error in this post.
Solution for “403.16 Forbidden: Client certificate is untrusted or invalid” error
In my case, the issue was the missing root certificate in the IIS server. The issue was solved once we added it by following the steps below.
- In IIS Web server, click Start, type “mmc.exe“, right-click mmc.exe, and then click “Run as administrator“
- Go to “File > Add/Remove Snap-in“
- In “Available snap-ins” list, click “Certificates“, and then click “Add“.
- Select “Computer account” and click “Next”.
- Click “Local computer“, click “Finish”, and “Close”. Then click “OK”.
- Go to “Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import“
- In the “Certificate Import Wizard”, click “Next”
- Type the location of the root certificate of the certification authority and click “Next”
- Click “Next”, and “Finish”

Note: Another root cause of the 403.16 issue might be the existence of non-self-signed certificates in “Trusted Root Certification Authorities” container (Reference 1 – Reference 2)
In order to centralize certificate management in your IIS web farm, check out CCS (Centralized Certificate Store) feature: What is Centralized Certificate Store (CCS) and how to use it?
