Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0


View products that this article applies to.

Symptoms

When you connect to a computer that is running Microsoft Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0, you may receive the following error message after you select a certificate:
403.13 Client Certificate Revoked

↑ Back to the top


Cause

You may receive this error message if mutual authentication is enabled.

This problem occurs because of a certificate revocation list (CRL) retrieval timeout. Windows Server 2003 introduces new Microsoft Cryptography API (CAPI) behavior regarding network timeouts. This change was first made to address the problem of long delays that occur because of CAPI blocking during CRL retrievals when the target URL is inaccessible.

In Windows Server 2003, the default timeout is set to 15 seconds. Windows Server 2003 includes a feature that retries the download on a background thread with a default timeout of 60 seconds. CRLs that reside on a Lightweight Directory Access Protocol (LDAP) URL may be particularly affected because of reduced throughput.

↑ Back to the top


Workaround

To work around this problem, manually download the CRL, and then install it to the local computer certificate store.

Note Because the CRL is valid only for a limited time, you must retrieve a new CRL periodically.

To install a CRL to the local computer certificate store, follow these steps:
  1. Log on to the computer as a member of the local administrators group.
  2. Open the Certificates snap-in for the Computer account. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On File menu, click Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.
    3. On the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears.
    4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
    5. Click Computer account, and then click Next.
    6. Click Local computer, and then click Finish.
    7. Click Close, and then click OK.
  3. Expand Certificates, right-click Intermediate Certification Authorities, click All Tasks, and then click Import.
  4. Follow instructions in the wizard to complete the installation.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

Windows Server 2003 Service Pack 1 (SP1) is scheduled to include configurable timeout settings that are similar to those that are documented in the following article in the Microsoft Knowledge Base:
841632 You receive the "403.13 client certificate revoked" error message after you install the MS04-11 security update
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
841641 IIS returns a "403.13 Client Certificate Revoked" error message after you install MS04-011 because of Wininet proxy settings
841642 Errors with client certificates occur after you install the MS04-011 security update on an IIS 5.0 computer

↑ Back to the top


Keywords: KB884115, kbtshoot, kberrmsg

↑ Back to the top

Article Info
Article ID : 884115
Revision : 5
Created on : 12/3/2007
Published on : 12/3/2007
Exists online : False
Views : 518