I have installed Shibboleth on Windows 2016 with IIS 10.0 and am working through configuring it as a Service Provider. I am trying to view this URL on my local server:
https://localhost/Shibboleth.sso/Status
...but I just get an HTTP Error 404.0 - Not Found. There is nothing in the Shibboleth Event Viewer for this error.
I do not see anything in ISAPI Filters or Handler Mappings related to Shibboleth, which is what I would assume the server needs in order to properly handle a file with extension SSO. Should there be something there? Nothing was added there as part of the installation process, nor did I see any documentation stating that I was supposed to.
Or is the problem somewhere else?
I am using IIS8 with MVC.NET website built on .net framework 4.5, Here as a part of security fix I am told to have the generic error message for all 403 status codes, This I was able to achieve using httpErrors tags from web.config file using "" entry. But there are some error which are thrown by http.sys which are still showing the system level errors instead of generic error. For example doing a GET request to url "http://abc.xyz.com/login/../../../../../../../admin.txt" is returning "HTTP Error 403. The request URL is forbidden." error while it should return the generic error message which is mentioned in my httpErrors tag.
To my surprise if I stop the website (Not IIS) still I am getting the same error which did confirm that the error is handleded at the low level APIs of IIS and not getting passed down to application layer hence any changes in web.config are not helping to fix this issue.
Could someone please shade some light on how to fix this issue ?
Thanks
Ajay Sawant
I've got 6 identical machines running IIS and Apache. Today one of them decided to just stop serving requests. I can access all of the webapps when I try from localhost/resource but when I try from url/resource I get a 404. I did a Get request against the machine that isn't working and I get this back:
Server: Microsoft-HTTPAPI/2.0
Connection: close
Compared to a working server:
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Type: text/html
Tried searching for this problem but came up with nothing, anyone got any idea's?
Windows has an HTTP service that manages calls to IIS and other HTTP enabled services on a windows machine. Either you need to configure it to handle your calls, or, in the case of WAMP or similar non-IIS-web-server-on-windows scenarios you may just need to turn it off.
When you see "Microsoft-HttpApi/2.0" returning error, such as 400 "bad URL" or "bad header", etc. the problem is most likely because the HTTP.sys service is intercepting your http request and terminating it because it does not meet with the minimum validation rules that are configured.
This configuration is found in the registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. In my case, it was choking because I had a RESTful call that had a 400 character segment in the url which was 160 characters more than the default value of 260, so I
added the registry parameter UrlSegmentMaxLength with a DWORD value of 512,
stopped the service using net stop http
started the service using net start http
I've run into these issues before and it is easy to troubleshoot but there is very little on the web that addresses it.
Try these links
"the underlying problem is that the client has sent a request to IIS that breaks one or more rules that HTTP.sys is enforcing"
enabling logging on HTTP.sys is described here
a list of the HTTP.sys parameters that you can control in the registry is found here.
A bit late, so put here for posterity ;-)
After trying all sorts of solutions found on the web, I almost gave up, but found this little nugget.
If the response's Server header returns Microsoft-HttpApi/2.0, it means that the HTTP.sys is being called, not IIS.
As a result, a lot of the workarounds will not work (URLScan, etc).
This worked however:
Open regedit
Navigate HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
Finally, restart the service by calling net stop http then net start http
src: WS/WCF: Remove Server Header
Set below registry flag to: 2
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader
Setting this to 2 will ensure that self host WCF services no longer sends the SERVER header and thus ensure we are security compliant.
Please note that this disables ALL server headers.
The default value of 0 enables the header, and the value of 1 disables server header from DRIVER (http.sys), but app can still have headers.
For me I had to restart the server for the changes to take effect.
Hope this helps someone
I was working on our web app on a client's site and ran into an issue where the site root pages loaded, but the reports folder always returned a 404 for files that existed in the folder. The 404 page showed the .Net version of 2 when the application was set to 4, and a test of a non-existent page in the root returned a 404 page showing .Net 4.
I tried just http://localhost/reports and got back a Microsoft Reporting Services page. Not part of my application.
Be sure to check just the default document of the folder when a unexpected 404 comes up and the file exists.
This question and series of replies helped me get to the bottom of the related issue I was having. My issue centered around using just a subdomain to go to our server (e.g. typing "www/somepath" into the browser while on our corporate network), which had worked in the past on an older server, but no longer worked when the system was upgraded to a new server. I saw the unexpected Microsoft-HttpApi/2.0 string in the header when using the Chrome Devtools to inspect the Network traffic.
My HTTP.sys process was already logging, so I could verify that my traffic was going to that service and returning 404 NotFound status codes.
My resolution was to add a binding to the IIS site for the subdomain, making IIS respond instead of the HTTP.sys process, as described in this server fault article - https://serverfault.com/questions/479274/why-is-microsoft-httpapi-returning-404-to-my-network-switch
In my case, running Windows 10 Pro, it was the Windows MultiPoint Service.
By executing:
net stop wms
Port 80 was released.
I am an intern in an interactive media company, my employers have many websites they host for small businesses. When any of the websites URL's is accessed on the web it works great, altough when you place "/test" behind the url and enter it comes up with the 500.19 internal server error, stating the configuration file path is invalid. While it should just be giving the 404 error.
We did not create the /test site. We also have URL rewrite installed and functioning but we really need to know what is causing this error. As I said it needs to give a 404 error and than perhaps we can have it rewrite this URL.
If anyone has any idea what is going on here please help. Searching the web has yielded zero results. Below I will paste the full error report.
Error Summary
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Information
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x80070003
Config Error Cannot read configuration file
Config File \\?\D:\Sites\vhosts\***********.com\httpdocs\test\web.config
Requested URL http://***.*************.com:80/test
Physical Path D:\Sites\vhosts\************.com\httpdocs\test
Logon Method Not yet determined
Logon User Not yet determined
Config Source
-1:
0:
I'm using CC.NET 1.6 server and its corresponding CCTray connecting happily via remoting but need to change to use the dashboard connection via HTTP so that I can start farming the URL out to developers.
Putting my dashboard URL into CCTray:
http://localhost/CruiseControl/server/local/ViewServerReport.aspx
Results in CCTray returning
Failed to connect to server: The remote server returned an error: (500) Internal Server Error.
If I check my IIS logs, I can see the request was turned into a POST to this location and the log confirms the 500 response.
/CruiseControl/server/local/ViewServerReport.aspx/server/localhost/RawXmlMessage.aspx
If I navigate to that URL via GET - I get some Xml with error "Unable to process error: Root element is missing". This could be an artifact of me doing a GET instead of a POST of course.
Note: Yes I am using localhost in the URL as it is all contained on the one machine at the moment, if I can get this to work then I will of course change to use better hostname.
Worked this out after upgrading to cc.net 1.8
1) Check dashboard.config for server name
Use fiddler to watch the request go through and observe the dashboard server name
http://localhost/CruiseControl/server/yourdomain.com/ViewServerReport.aspx
In the above case it is yourdomain.com
Open your dashboard.config and make sure there is an entry with the same name
<server name="yourdomain.com" url="tcp://localhost:21234/CruiseManager.rem" allowForceBuild="true" allowStartStopBuild="true" backwardsCompatible="false" />
2) Check IIS request validation
Check your application pool for Cruise Control's IIS. If it is .NET 4.0 then you need this in your web.config
<httpRuntime requestValidationMode = "2.0" />
That config is sitting in cc.net 1.8 web.config but needs uncommenting
3) Try again, you should be good - if not observe responses in fiddler