There is a bug I discovered today in IIS 10.0 in where it gives the following "FALSE" error message:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
This happens when you have the following situation:
1) A self-signed root certificate. This certificate can be from a CA (Certificate Authority) or not. (LETS CALL THIS CERT "CA-A"
2) CA-A is properly installed in your windows 10 "Trusted Root Authority" store
3) You have another cert (LETS CALL IT "CERT-B"). This cert was signed by CA-A.
4) You have a client-authentication cert you use for accessing your website (LETS CALL IT "CERT-C").
5) You have a website secured by client-certificate authentication. It does not matter if you are using mapping, or any other type of authentication. Just that under the SSL Settings for a site, you have the "Require" radio button selected under Client Certificates option
6) When you superfluously install CERT-B into the "Trusted Root Authority", any future client-certificate logons with CERT-C return 403.16. Performing a trace will show "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" as the cause. When you remove the cert (and restart IIS), your site will start working again.
This bug has perplexed me for months and other forum posts don't properly identify this as an issue. Instead, they all assume that the user has forgotten to install something in Trusted Root Authority.