How to resolve a "403.4 - Forbidden" error at the browser on an IIS8.5 Web Server with the R12.52 SP1 CA Single Sign On Web Agent installed.

book

Article ID: 6550

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Trying to access a resource on an IIS8.x WebSite over the HTTP protocol with the CA Single Sign On R12.52 SP1 WebAgent for IIS installed results in a 403 error at the browser. There are no Single Sign On Agent logs generated and LLAWP does not start.

A review of the "Failed Request Tracing" provides the "HttpSubStatus" code of "4" for the 403 error; 

<EventData>

  <Data Name="ContextId">{80000006-0000-D200-B63F-84710C7967BB}</Data>

  <Data Name="ModuleName">IIS Web Core</Data>

  <Data Name="Notification">1</Data>

  <Data Name="HttpStatus">403</Data>

  <Data Name="HttpReason">Forbidden</Data>

  <Data Name="HttpSubStatus">4</Data>

  <Data Name="ErrorCode">2147942405</Data>

  <Data Name="ConfigExceptionInfo"></Data>

</EventData>

 

The following link provides the definitions for the IIS HTTP status codes;

https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7.0,-iis-7.5,-and-iis-8.0 

Following is from this link; 

IIS 7.0, IIS 7.5, and IIS 8.0 define the following HTTP status codes that indicate a more specific cause of a 403 error: 

•403.1 - Execute access forbidden. 

•403.2 - Read access forbidden. 

•403.3 - Write access forbidden. 

403.4 - SSL required. 

•403.5 - SSL 128 required. 

•403.6 - IP address rejected. 

•403.7 - Client certificate required. 

•403.8 - Site access denied. 

•403.9 - Forbidden: Too many clients are trying to connect to the web server. 

•403.10 - Forbidden: web server is configured to deny Execute access. 

•403.11 - Forbidden: Password has been changed. 

•403.12 - Mapper denied access. 

•403.13 - Client certificate revoked. 

•403.14 - Directory listing denied. 

•403.15 - Forbidden: Client access licenses have exceeded limits on the web server. 

•403.16 - Client certificate is untrusted or invalid. 

•403.17 - Client certificate has expired or is not yet valid. 

•403.18 - Cannot execute requested URL in the current application pool. 

•403.19 - Cannot execute CGI applications for the client in this application pool. 

•403.20 - Forbidden: Passport logon failed. 

•403.21 - Forbidden: Source access denied. 

•403.22 - Forbidden: Infinite depth is denied. 

•403.502 - Forbidden: Too many requests from the same client IP; Dynamic IP Restriction limit reached.

 

From the complete error of "403.4", we can see "SSL required".

 

A review of the ApplicationHost.config file also shows that SSL is required for the site;

 

<location path="MyIIS8.xWebSite"> 

<system.webServer> 

<security> 

<access sslFlags="Ssl" /> 

</security> 

</system.webServer> 

</location>

Cause

The IIS Web Site is configured to require SSL, however the request was over HTTP instead of HTTPS.

Environment

R12.52 SP2 Policy Server on Windows 2012R2R12.52 SP1 Agent for IIS on Windows 2012R2IIS8.5 on Windows 2012R2

Resolution

Make the request over the HTTPS Port/Binding for the Web Site, or un-check the "Require SSL" check-box in the "SSL Settings" for the Web Site, or modify the ApplicationHost.config file and set the "access sslFlags" parameter to "None".