Error 403 on SharePoint 2010 when using SmartCard Authentication?


  • Admittedly, I am very new to the world of SharePoint 2010 so I was wondering if I could get some insight into a problem that recently popped up.

     Our set up is like this: We are running Sharepoint 2010 (x64bit), on Server 2008 R2 (x64bit) and CAC certificate authentication is being handled by ISA 2006(32 Bit) since SharePoint 2010 doesn’t support it natively.

    I have to Figure out (what seems to be) a Smart Card Authentication problem. Apparently it was working as late as May of this year…

    Essentially, users with local Active Directory (AD) Accounts SHOULD be able to authenticate with their Smart Card into the SharePoint page using the secure (https) URL when away from the office, specifically at a satellite office away from our Headquarters building. Right now, the site is only working internally (while connected in our HQ). When a user tries to access the site they are prompted for their SMART CARD credentials, when they enter the PIN they are taken to an ERROR 403 PAGE “the Website declined to show this webpage” ‘This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.’

    I went to look at the IIS server (7.5) to see how the Authentication was being handled When I started looking at this, “Windows Authentication” was set to just NTLM. It is currently set to Negotiate then NTLM. If we add “Negotiate: Kerberos”, the site asks for a userid/password for internal users. The previous SA dabbled (after the break) with Extended protection and the “Enable Kernel-mode authentication” check box. One of his notes says this should be OFF. However, when he added “Negotiate”, Kernel-mode authentication has to be checked or SharePoint will prompt for a password for internal users.


    - SharePoint Server:

    •  There are error codes/Event IDs are common throughout the ADMINISTRATIVE EVENTS log on the sharepoint server 
    •  6398, 5555, and 7113 - strangely enough these all have to do with the user profiles, but it is unclear to me whether this has anything to do with the Smart Card authentication 
    • 3 – This error code began showing up in the past few weeks. There are several different types:
    •  SYSTEM.SERVICEMODEL It stated “the service ‘/_vti_bin/client.svc’ cannot be activated due to an exception during compilation. The exception message is: The authentication scheme ‘Negotiate:kerberos’ is not supported”


    • A Kerberos Error Message was received:
    •    On logon session site\sharept_admin Error Code KDC_ERR_PREAUTH_REQUIRED
    • Error Code KDC_ERR_BADOPTION

    - As it stands now the site is in the INTERNET ZONE. Should it be in the INTRANET ZONE If I wanted users at satellite locations to be able to access the internal SP portal?

    - In SharePoint CA:

    • o Edit Authentication> IIS Authentication Settings: INTEGRATED WINDOWS AUTHENTICATION is CHECKED and NTLM radial bubble is selected. Should this be set to Negotiate (Kerberos)?
    •  o Edit Authentication> IIS Authentication Settings: Enable Client Integration is set to “YES”

    - In IIS:

    • o the “pass-through authentication” test passed. o Certificates are NOT expired o We are using KCD - Etc: o Happening on Win 7 and XP both IE8
    • o Compared to the way OWA is set up in IIS and IAS and nothing really stands out.

    I hope this make sense, If not please let me know.

    • Edited by Rod_419 Friday, July 08, 2011 2:31 AM Format editing
    Friday, July 08, 2011 2:03 AM


  • Hi,

    As i know, Microsoft SharePoint Server 2010 does not provide built-in support for Client Certificate Authentication. but Client Certificate Authentication is available through integration with Active Directory Federation Services (AD FS) 2.0, or any third-party identity management system that supports standard security protocols.

    For more information, please refer to:



    • Marked as answer by Seven M Friday, July 15, 2011 3:30 AM
    Wednesday, July 13, 2011 8:02 AM