2 Way SSL - IIS 7 Returns 403.16 When Client Certificate Is Sent

Question

So I encountered this issue (which I managed to resolve), and wanted to share the problem and solution, in case someone will experience the same issue.

The problem:

1. I configured a site on IIS 7 to require SSL and require client certificate, due to a need to implement a 2 way SSL.
2. I noticed the client certificate is sent from the client (I did this with sniffing wireshark packets).
3. The IIS server returned 403.16 Client Certificate Untrusted or Invalid.

Additional information:

1. The issuer of the certificate was in the trusted CAs store.

What else can cause this issue?

Answer 1

In my case,

The issue was with the enhanced key usage of the certificate, that was set to "server authentication".

When I issued the certificate, via the CA server of my org, I used a predefined web server template that had set the key usage to the above.

Issuing a new certificate with "client authentication" usage resolved the issue for me.

Hope it will help someone else who encounters a similar issue.