How to resolve a "403.4 - Forbidden" error at the browser on an IIS8.5 Web Server with the R12.52 SP1 CA Single Sign On Web Agent installed.

Document ID : KB000006550
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Trying to access a resource on an IIS8.x WebSite over the HTTP protocol with the CA Single Sign On R12.52 SP1 WebAgent for IIS installed results in a 403 error at the browser. There are no Single Sign On Agent logs generated and LLAWP does not start.

A review of the "Failed Request Tracing" provides the "HttpSubStatus" code of "4" for the 403 error; 

<EventData>

  <Data Name="ContextId">{80000006-0000-D200-B63F-84710C7967BB}</Data>

  <Data Name="ModuleName">IIS Web Core</Data>

  <Data Name="Notification">1</Data>

  <Data Name="HttpStatus">403</Data>

  <Data Name="HttpReason">Forbidden</Data>

  <Data Name="HttpSubStatus">4</Data>

  <Data Name="ErrorCode">2147942405</Data>

  <Data Name="ConfigExceptionInfo"></Data>

</EventData>

 

The following link provides the definitions for the IIS HTTP status codes;

https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7.0,-iis-7.5,-and-iis-8.0 

Following is from this link; 

IIS 7.0, IIS 7.5, and IIS 8.0 define the following HTTP status codes that indicate a more specific cause of a 403 error: 

•403.1 - Execute access forbidden. 

•403.2 - Read access forbidden. 

•403.3 - Write access forbidden. 

403.4 - SSL required. 

•403.5 - SSL 128 required. 

•403.6 - IP address rejected. 

•403.7 - Client certificate required. 

•403.8 - Site access denied. 

•403.9 - Forbidden: Too many clients are trying to connect to the web server. 

•403.10 - Forbidden: web server is configured to deny Execute access. 

•403.11 - Forbidden: Password has been changed. 

•403.12 - Mapper denied access. 

•403.13 - Client certificate revoked. 

•403.14 - Directory listing denied. 

•403.15 - Forbidden: Client access licenses have exceeded limits on the web server. 

•403.16 - Client certificate is untrusted or invalid. 

•403.17 - Client certificate has expired or is not yet valid. 

•403.18 - Cannot execute requested URL in the current application pool. 

•403.19 - Cannot execute CGI applications for the client in this application pool. 

•403.20 - Forbidden: Passport logon failed. 

•403.21 - Forbidden: Source access denied. 

•403.22 - Forbidden: Infinite depth is denied. 

•403.502 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction limit reached.

 

From the complete error of "403.4", we can see "SSL required".

 

A review of the ApplicationHost.config file also shows that SSL is required for the site;

 

<location path="MyIIS8.xWebSite"> 

<system.webServer> 

<security> 

<access sslFlags="Ssl" /> 

</security> 

</system.webServer> 

</location>

Environment:
R12.52 SP2 Policy Server on Windows 2012R2R12.52 SP1 Agent for IIS on Windows 2012R2IIS8.5 on Windows 2012R2
Cause:

The IIS Web Site is configured to require SSL, however the request was over HTTP instead of HTTPS.

Resolution:

Make the request over the HTTPS Port/Binding for the Web Site, or un-check the "Require SSL" check-box in the "SSL Settings" for the Web Site, or modify the ApplicationHost.config file and set the "access sslFlags" parameter to "None".