Trying to access a resource on an IIS8.x WebSite over the HTTP protocol with the CA Single Sign On R12.52 SP1 WebAgent for IIS installed results in a 403 error at the browser. There are no Single Sign On Agent logs generated and LLAWP does not start.
A review of the "Failed Request Tracing" provides the "HttpSubStatus" code of "4" for the 403 error;
<Data Name="ModuleName">IIS Web Core</Data>
The following link provides the definitions for the IIS HTTP status codes;
Following is from this link;
IIS 7.0, IIS 7.5, and IIS 8.0 define the following HTTP status codes that indicate a more specific cause of a 403 error:
•403.1 - Execute access forbidden.
•403.2 - Read access forbidden.
•403.3 - Write access forbidden.
•403.4 - SSL required.
•403.5 - SSL 128 required.
•403.6 - IP address rejected.
•403.7 - Client certificate required.
•403.8 - Site access denied.
•403.9 - Forbidden: Too many clients are trying to connect to the web server.
•403.10 - Forbidden: web server is configured to deny Execute access.
•403.11 - Forbidden: Password has been changed.
•403.12 - Mapper denied access.
•403.13 - Client certificate revoked.
•403.14 - Directory listing denied.
•403.15 - Forbidden: Client access licenses have exceeded limits on the web server.
•403.16 - Client certificate is untrusted or invalid.
•403.17 - Client certificate has expired or is not yet valid.
•403.18 - Cannot execute requested URL in the current application pool.
•403.19 - Cannot execute CGI applications for the client in this application pool.
•403.20 - Forbidden: Passport logon failed.
•403.21 - Forbidden: Source access denied.
•403.22 - Forbidden: Infinite depth is denied.
•403.502 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction limit reached.
From the complete error of "403.4", we can see "SSL required".
A review of the ApplicationHost.config file also shows that SSL is required for the site;
<access sslFlags="Ssl" />
The IIS Web Site is configured to require SSL, however the request was over HTTP instead of HTTPS.
Make the request over the HTTPS Port/Binding for the Web Site, or un-check the "Require SSL" check-box in the "SSL Settings" for the Web Site, or modify the ApplicationHost.config file and set the "access sslFlags" parameter to "None".