sfw/fix
403.6 medium

HTTP Error 403.6 - Forbidden: IP address rejected (IIS)

IIS blocked the request because the client IP matches a deny rule in IP and Domain Restrictions.

What you see

HTTP Error 403.6 - Forbidden
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
("Forbidden: IP address rejected")

What’s actually happening

A browser gets a 403 and the IIS detailed error shows sub-status 403.6. It hits either everyone or one specific network, depending on whether the deny list is too broad or the rule caught a real visitor. Behind a load balancer or reverse proxy the symptom is brutal: legitimate users are blocked because IIS evaluates the proxy's IP, not theirs.

Common causes

  • An explicit Deny entry in the site's IP Address and Domain Restrictions matches the client (or a CIDR range that's wider than intended)
  • The feature is set to "Deny" by default (unlisted clients are blocked) and the visitor was never added to an allow list
  • IIS sits behind a proxy/CDN/load balancer, so it sees the intermediary's IP - your restriction rules evaluate the wrong address
  • Domain-name restrictions are enabled, forcing a reverse-DNS lookup on every request that mismatches or times out
  • A stale allow-only rule left over from a maintenance lockdown that was never removed

How to fix it

  1. Confirm it's really 403.6Enable detailed errors or read %SystemDrive%\inetpub\logs\LogFiles - the sc-status sc-substatus columns will show 403 6. Other 403 sub-statuses (403.1 exec, 403.14 dir listing, 403.503 throttling) have completely different fixes, so pin the sub-status first.
  2. Edit the deny/allow list in IIS ManagerOpen the site, choose IP Address and Domain Restrictions. Remove or narrow the Deny entry that matched, or add the blocked client as Allow. Check "Edit Feature Settings" - if the default action is Deny, every unlisted IP is rejected, which is usually the real problem.
  3. Fix it for proxied/load-balanced sitesIn IP Address and Domain Restrictions, open Edit Feature Settings and enable "Enable Proxy Mode" so IIS evaluates the X-Forwarded-For header instead of the connecting (proxy) IP. Confirm your proxy actually sets XFF. Without proxy mode, every rule applies to the load balancer's address, not the visitor's.
  4. Edit ApplicationHost.config directly when scriptingRules live under <system.webServer><security><ipSecurity> in %windir%\System32\inetsrv\config\applicationHost.config. Set allowUnlisted true/false and add <add ipAddress="..." allowed="true|false"/> entries. Run iisreset or recycle the app pool after editing.

Stop it recurring

Document every IP restriction rule and prefer narrow allow/deny entries over broad ranges, and always enable proxy mode before putting an IIS site behind a load balancer.

Related errors

BitNinja "site is protected by BitNinja" security check / challenge page

medium

BitNinja greylisted the visitor's IP for suspicious behavior and is serving a challenge page instead of the site.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.

Microsoft Defender SmartScreen "This site has been reported as unsafe"

high

Your URL matched Microsoft's reported-sites list, so Edge blocks the page with a SmartScreen interstitial before it loads.