IE11 not prompting for certificates. Citrix/IIS 403 7 RRS feed

  • Question

  • He are having issues with a 403 7 when users attempt to connect to an IIS website set to SSL require. We have already checked URLACTION_CLIENT_CERT_PROMPT  and it is set properly. We ran a trace on the IIS server and saw that the client(citrix server) is not sending the client credentials to the IIS server. We cleared all duplicate certs and we do not have too many root, or intermediate certs either. To top it all off this is an intermittent issue. A user will receive a 403 then open a new tab paste the URL and then receive the prompt for certs and get in.  Please help, this has been kicking our butts for a month now. I can provide anything you might need.
    Tuesday, December 27, 2016 4:28 PM

All replies

  • Hi Myder,

    Wrong IIS configuration is probably the most common cause for the 403.7 error. When SSL client authentication is configured, IIS sends a list of known Certificate Authorities. This list is used by Internet Explorer to filter out client certificates that are “unknown” to the web server. Please check the link below to troubleshooting 403.7 issue.

    Also as this issue is mainly related to IIS, I suggest discussing it in our IIS forum. They are the best resource to troubleshoot it.

    Hope it will be helpful to you

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, December 28, 2016 3:05 AM
  • Thank you for the reply,

    I think I've probably read every article the interwebz has to offer, and normally I agree with you except IIS doesn't even get to play its part. I have captured both a 403 and a good login. During the 403 the server hellos complete and then the citrix server fails to send the client cert to start SSL authentication with IIS(negotiateclientcerts is enabled). where normally during a good auth. The hellos happen then the citrix server sends the client cert to the IIS server for authentication and everything goes great.  I would think if IIS was misconfigured we would be able to reproduce the problem every time, but unfortunately we cannot.

    I was wondering if this could be a result of cached credentials or cookies. We have found users were able to reach the sites after clearing session cookies. I'm also wondering if it could be an activclient issue.

    I'm posting here because I have already tried everything I've found in the IIS forums.

    Wednesday, December 28, 2016 12:31 PM
  • have captured both a 403 and a good login.  

    You could try simulating the credentials phase using PowerShell's  Invoke-WebRequest.

    Robert Aldwinckle

    Friday, December 30, 2016 1:01 AM