Trying to access a resource on an IIS8.x WebSite over the HTTP protocol with the CA Single Sign On R12.52 SP1 WebAgent for IIS installed results in a 403 error at the browser. There are no Single Sign On Agent logs generated and LLAWP does not start.
A review of the "Failed Request Tracing" provides the "HttpSubStatus" code of "4" for the 403 error;
<EventData>
<Data Name="ContextId">{80000006-0000-D200-B63F-84710C7967BB}</Data>
<Data Name="ModuleName">IIS Web Core</Data>
<Data Name="Notification">1</Data>
<Data Name="HttpStatus">403</Data>
<Data Name="HttpReason">Forbidden</Data>
<Data Name="HttpSubStatus">4</Data>
<Data Name="ErrorCode">2147942405</Data>
<Data Name="ConfigExceptionInfo"></Data>
</EventData>
The following link provides the definitions for the IIS HTTP status codes;
https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7.0,-iis-7.5,-and-iis-8.0
Following is from this link;
IIS 7.0, IIS 7.5, and IIS 8.0 define the following HTTP status codes that indicate a more specific cause of a 403 error:
•403.1 - Execute access forbidden.
•403.2 - Read access forbidden.
•403.3 - Write access forbidden.
•403.4 - SSL required.
•403.5 - SSL 128 required.
•403.6 - IP address rejected.
•403.7 - Client certificate required.
•403.8 - Site access denied.
•403.9 - Forbidden: Too many clients are trying to connect to the web server.
•403.10 - Forbidden: web server is configured to deny Execute access.
•403.11 - Forbidden: Password has been changed.
•403.12 - Mapper denied access.
•403.13 - Client certificate revoked.
•403.14 - Directory listing denied.
•403.15 - Forbidden: Client access licenses have exceeded limits on the web server.
•403.16 - Client certificate is untrusted or invalid.
•403.17 - Client certificate has expired or is not yet valid.
•403.18 - Cannot execute requested URL in the current application pool.
•403.19 - Cannot execute CGI applications for the client in this application pool.
•403.20 - Forbidden: Passport logon failed.
•403.21 - Forbidden: Source access denied.
•403.22 - Forbidden: Infinite depth is denied.
•403.502 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction limit reached.
From the complete error of "403.4", we can see "SSL required".
A review of the ApplicationHost.config file also shows that SSL is required for the site;
<location path="MyIIS8.xWebSite">
<system.webServer>
<security>
<access sslFlags="Ssl" />
</security>
</system.webServer>
</location>
The IIS Web Site is configured to require SSL, however the request was over HTTP instead of HTTPS.
Make the request over the HTTPS Port/Binding for the Web Site, or un-check the "Require SSL" check-box in the "SSL Settings" for the Web Site, or modify the ApplicationHost.config file and set the "access sslFlags" parameter to "None".