I have an ASP.NET (version 4) MVC 3 application running on IIS 7.5. Anytime there is a single quote in the URL, for example http://devserver.com/myapplication/Home?filter=id~eq~'123' - I get a 403 Forbidden error.
Specifically, this happens when I'm using a Kendo UI grid and am trying to filter one of the columns. But I found that anytime a single quote is in the URL, IIS immediately gives the 403 error.
I've looked in the IIS logs and the event viewer and there is no indication anywhere of a 403 response - I can't seem to find out specifically why the 403 was given.
It's not IIS, it's Siteminder! We have Siteminder in front of our web application, and Siteminder intercepts all incoming traffic for authentication. In this case, Siteminder will also disallow a URL with a single quote in it. Although the 403 error looks like it's coming from IIS, it's really coming from Siteminder.
This issue happened for my app as well and the culprit is Siteminder in my case.
They have a set of BadCSSChars lists which would be validated against our URL. If any bad character is found, the URL will be blocked and wont reach IIS.
Siteminder can remove the 'character needed' exception in the agent.log file (not an expert in this, but heard that this file which stores badcsschars list) in the app server.
Related
I'm working with MicroStrategy 10.3, hosted on IIS 7.5. I'm using their
URL API to run a document, and change the value of a drop down selector.
IIS is tinkering with my query parameters though, via a 302 redirect. This URL:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=2048001&src=Main.aspx.2048001&maxWait=-1&documentID=XXX&evt=2048084&src=Main.aspx.oivm.rwb.2048084&ctlKey=XXX&elemList=hXX;XXX&evtorder=2048001%2c2048084&2048084=1&2048001=1
is being 302'ed to:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=2048001%2C2048084&src=Main.aspx.2048001%2CMain.aspx.oivm.rwb.2048084&maxWait=-1&documentID=XXX&ctlKey=XXX&elemList=hXX%3BXXX&evtorder=2048001%2C2048084&2048084=1&2048001=1
(The two distinct evt and src are being combined, and MicroStrategy is complaining that 'Event ID 2048001,2048084 is illegal'.)
Does IIS do this type of thing out of the box? It certainly seems unlikely. I can't see any custom HTTP redirects in IIS Manager for the application.
IIS was most definitely not the culprit.
MicroStrategy was generating the 302 redirect itself, subsequent to an automated login. You would think that an enterprise application wouldn't rewrite its own URL such that it causes an error, but you'd be wrong.
I resolved the issue by manually adding a login event, and URL-encoding the two events I wanted to call into the target key:
https://server/MicroStrategy/asp/Main.aspx?Server=XXX&Project=XXX&evt=3054&src=Main.aspx.3054&target=evt%3D2048001%26src%3DMain.aspx.2048001%26maxWait%3D-1%26documentID%3DXXX%26evt%3D2048084%26src%3DMain.aspx.oivm.rwb.2048084%26ctlKey%3DXXX%26elemList%3DhXX%3BXXX%26evtorder%3D2048001%252c2048084%262048084%3D1%262048001%3D1
I've got 6 identical machines running IIS and Apache. Today one of them decided to just stop serving requests. I can access all of the webapps when I try from localhost/resource but when I try from url/resource I get a 404. I did a Get request against the machine that isn't working and I get this back:
Server: Microsoft-HTTPAPI/2.0
Connection: close
Compared to a working server:
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Type: text/html
Tried searching for this problem but came up with nothing, anyone got any idea's?
Windows has an HTTP service that manages calls to IIS and other HTTP enabled services on a windows machine. Either you need to configure it to handle your calls, or, in the case of WAMP or similar non-IIS-web-server-on-windows scenarios you may just need to turn it off.
When you see "Microsoft-HttpApi/2.0" returning error, such as 400 "bad URL" or "bad header", etc. the problem is most likely because the HTTP.sys service is intercepting your http request and terminating it because it does not meet with the minimum validation rules that are configured.
This configuration is found in the registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. In my case, it was choking because I had a RESTful call that had a 400 character segment in the url which was 160 characters more than the default value of 260, so I
added the registry parameter UrlSegmentMaxLength with a DWORD value of 512,
stopped the service using net stop http
started the service using net start http
I've run into these issues before and it is easy to troubleshoot but there is very little on the web that addresses it.
Try these links
"the underlying problem is that the client has sent a request to IIS that breaks one or more rules that HTTP.sys is enforcing"
enabling logging on HTTP.sys is described here
a list of the HTTP.sys parameters that you can control in the registry is found here.
A bit late, so put here for posterity ;-)
After trying all sorts of solutions found on the web, I almost gave up, but found this little nugget.
If the response's Server header returns Microsoft-HttpApi/2.0, it means that the HTTP.sys is being called, not IIS.
As a result, a lot of the workarounds will not work (URLScan, etc).
This worked however:
Open regedit
Navigate HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\
If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
Finally, restart the service by calling net stop http then net start http
src: WS/WCF: Remove Server Header
Set below registry flag to: 2
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader
Setting this to 2 will ensure that self host WCF services no longer sends the SERVER header and thus ensure we are security compliant.
Please note that this disables ALL server headers.
The default value of 0 enables the header, and the value of 1 disables server header from DRIVER (http.sys), but app can still have headers.
For me I had to restart the server for the changes to take effect.
Hope this helps someone
I was working on our web app on a client's site and ran into an issue where the site root pages loaded, but the reports folder always returned a 404 for files that existed in the folder. The 404 page showed the .Net version of 2 when the application was set to 4, and a test of a non-existent page in the root returned a 404 page showing .Net 4.
I tried just http://localhost/reports and got back a Microsoft Reporting Services page. Not part of my application.
Be sure to check just the default document of the folder when a unexpected 404 comes up and the file exists.
This question and series of replies helped me get to the bottom of the related issue I was having. My issue centered around using just a subdomain to go to our server (e.g. typing "www/somepath" into the browser while on our corporate network), which had worked in the past on an older server, but no longer worked when the system was upgraded to a new server. I saw the unexpected Microsoft-HttpApi/2.0 string in the header when using the Chrome Devtools to inspect the Network traffic.
My HTTP.sys process was already logging, so I could verify that my traffic was going to that service and returning 404 NotFound status codes.
My resolution was to add a binding to the IIS site for the subdomain, making IIS respond instead of the HTTP.sys process, as described in this server fault article - https://serverfault.com/questions/479274/why-is-microsoft-httpapi-returning-404-to-my-network-switch
In my case, running Windows 10 Pro, it was the Windows MultiPoint Service.
By executing:
net stop wms
Port 80 was released.
the linux-guy here has a question about IIS v6.
The case is, that i have a site running, when i do some specific tasks on this site ( Like deleting a specific item, three times in a row) the site will break, and a completely blank page will appear. Checking the response headers, i noticed that the server sends a "403 Forbidden: IP address of the client has been rejected."
Through a proxy, i can connect just fine.
Checking the site-options in the IIS manager, shows me that my IP is not blocked globally, its something thats just happening.
Where can i check for this? It happens automatically and the block ends after about 8-12 minutes, every time?
best regards.
Jonas
do you have access to IIS?
i assume blocking occure on web site side (inside ASP code), not in IIS.
please check IIS console, and make sure that there are no blocked IP's. If it's true, you should find database/table or some config file, where stored all blocked IP's. After that, you should get able to find ASP code, which is responsable for blocking....
you also could try make quick search inside all ASP pages for text like: "REMOTE_ADDR" and ".ServerVariables"
I would appreciate any hints regarding the following issue:
The problem summary:
While using Negotiate:Kerberos in IIS 7.5, the authorization works correctly right until we setup URL rewriting (using the MS module "URL Rewrite 2.0") - any rewritten URL then returns "401.1 Unathorized" (requests not matching any rewrite rule keep working though).
The setup:
Windows Server 2008 R2 x64
IIS 7.5
URL Rewrite 2.0
Server is in a domain
SPN exists for HOST/hostname and HOST/hostname.domain (created by default)
Pool is using default ApplicationPoolIdentity (no custom account, not network service)
Kernel mode set to OFF
Authentication providers set to "Negotiate:Kerberos" only (no NTLM or annonymous)
URL Rewrite rule as as "^(.*)/$" => "index?x={R1}"
The result:
1) When accessing any URL not matching any URL rewrite pattern, Kerberos is working correctly, i.e. Kerberos ticket is issued (verified using klist), sent (verified using netmon and HTTP headers) and accepted (verified by URL being accessible and appropriate AUTH_USER property set to my domain account name) => no problem here.
2) When accessing any URL matching URL rewrite pattern, e.g. "hostname/foo" the result is:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Error Code 0x80070055
Requested URL http://hostname/index?x=foo
Physical Path D:\wwwroot\
Logon Method Not yet determined
Logon User Not yet determined
(if we try to access the rewritten URL directly, e.g. hostname/index?x=foo, Kerberos works again normally)
The attempts to solve it so far:
After googling, we have tried several options:
turning kernel mode ON: Kerberos stopped working completely, using either default pool identity or network service (I suppose we would need to setup additional HTTP SPN and/or use custom domain account with additional SPN for that account explicitly)
turning "useAppPoolCredentials" ON: no difference
enabling "Failing Request Tracing": surprisingly these failing 401.1 requests ARE NOT generating any output into the fail logs no matter what rule we try to setup (e.g. 400-999) - the folder is just empty (while other errors, like 404 or even handshake 401.x when accessing not-rewritten URLs are generating logs - very strange)
The conclusion:
So far we have reached a dead end - it may be some weird kind of "double hop" issue requiring using a custom domain account rather than default app pool identity, but as we're in fact accessing the same resources, it seems more like a URL Rewrite issue.
Any tips, hints, pointers? Anything would be highly appreciated.
Best regards,
Marek
we face the same issues as you do. By enabling extended error logging, we were able to put the finger on the actual problem, which seems to be a bug in the rewrite module (or at least in some part of IIS, which is related to the module):
When the URL gets rewritten, the access to the new rewritten URL is checked (seemingly hardcoded) using Basic Authentication and NTLM, neither of which has been configured on the Website at hand. The only configured authentication provider is Kerberos. Since the client doesnt send NTLM nor Basic credentials, there is no way this can work.
We (another person on the current project) are sending the issue to Microsoft. I will let you know, when I get any result.
It seems as though you have multiple issues here.
Failed-Request Tracing Logs
To fix your missing logs issue, you must make sure that the user that is running your site's AppllicationPool has read/modify rights to the folder where those logs are generated, otherwise you won't see anything. See the section labeled "Enable Failed-Request Tracing" on this page: Troubleshoot Failed Requests Using Tracing in IIS 7
What isn't clear is the fact that the site's Application Pool Identity (found in Advanced Settings for Application Pool) is the account that needs read/modify rights to that folder.
Once that is fixed you can load the XML logs in IE and see a much clearer picture of what is going on.
401.1 - Unauthorized Issue
A possible fix to your 401 error is to make sure unlisted file name extensions are allowed in Request Filtering. Go to IIS --> Sites --> [your site] --> Request Filtering
You have two options here:
Allow File Name Extension... and add the value "." (minus the quotes), see this answer.
Edit Feature Settings... and enabled the option "Allow unlisted file name extensions"
The 1st option should work well, the 2nd option obviously opens up a gaping hole but allows everything so you should be able to get it working.
I hope that helps.
We've just set up a new dedicated server at hostgator, running Windows 2008 Server, IIS7 and ColdFusion 8 ENT.
On browsing the homepage, sometimes the site works, sometimes, part of the site runs and I can see a 403 error in Firebug. At other times, I only get an IIS error page saying:
"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
The site is http://www.asia-buy.com. It might run first time, but if you refresh it a few times, you'll probably encounter the problem.
There is a lot of ajax and JSON stuff going on under the hood and I'm wondering if that has any bearing on the problem.
Would appreciate advice from anyone who may have solved a similar issue in the past.
Resolved: Hostgator says this is actually a security setting in IIS to attempt to prevent DDOS attacks on the website. A a developer, I use CTRL-F5 a lot. A normal user would not.
Full error:
HTTP Error 403.502 - Forbidden
The IP address from which you are browsing is not permitted to access the requested Web site because it has made too many requests over short period of time.
Open IIS Manager.
Go to your website.
Go to Features/IP Address and Domain Restrictions/Dynamic IP Restriction Settings
Uncheck the boxes, or change the values, as needed