Problem with 403.16 error

I don’t know too much about security certificates, please bear with me.

I created a certificate to be used by my webserver running IIS. Mostly things seems to be working ok. Occasionally, a user will report a 403.16 - Forbidden error.

I’m also getting a lot of these event viewer messages.

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

I don’t know if one is related to the other or if these are separate problems. I worry that I did not create/install the certificate properly.

The certificate does not determine which ciphers the server and client may use in the end. The certificate is used for the handshake which sets up the real encryption. You can think of the handshake as not being completely secure, but the way that it is used allows for a fully secure channel to be created. The server and client will have different lists of ciphers that they will allow. If the ones the server offers do not agree with the ones the client wants to use, then the handshake fails.

I’m not entirely certain that explains 403.16 errors. It might be a closely related, but not exactly related cause.

You can use something like ssllabs.com to test what ciphers your server offers and what browsers/OSs might try to use. It will also tell you if there are other problems with the certificate as you’re fearing. Just remember that your certificate does not determine which ciphers your server supports. Treat them as different categories of issues.

2 Likes

Are you perhaps running Windows Server 2012 or older? We generally recommend to use the free IIS Crypt tool from Nartec to configure your server for “Best Practices” mode, however on older operating systems you do still need to enable a couple of older ciphers because 2012 doesn’t know some of the more modern ones.

1 Like