Comments on: ISA Server error 12217 http://www.tomrafteryit.net/isa-server-error-12217/ Tom Raftery, social media consultant, speaker, blogger and podcaster Sat, 06 Sep 2008 22:21:12 +0000 http://wordpress.org/?v=2.6 By: Baruch http://www.tomrafteryit.net/isa-server-error-12217/#comment-115368 Baruch Tue, 18 Mar 2008 21:12:32 +0000 http://www.tomrafteryit.net/views/?p=96#comment-115368 Hey Stuart, I am sure you are long past your carriage return problem. However, I have an answer for the next guy that sees your post. After talking to microsoft, they state they intentionally break urls with an encoded CRLF (%0d%0a) to prevent cross site scripting. A work around is to use HTTP authentication (we were using forms auth). We ended up changing our code to use a POST instead of a GET. Hey Stuart,

I am sure you are long past your carriage return problem. However, I have an answer for the next guy that sees your post. After talking to microsoft, they state they intentionally break urls with an encoded CRLF (%0d%0a) to prevent cross site scripting. A work around is to use HTTP authentication (we were using forms auth). We ended up changing our code to use a POST instead of a GET.

]]> By: Scott http://www.tomrafteryit.net/isa-server-error-12217/#comment-109251 Scott Thu, 09 Aug 2007 13:35:20 +0000 http://www.tomrafteryit.net/views/?p=96#comment-109251 Just ran into the exact problem listed for one of our newly published internal pages. Googled, found your page, fixed problem, partied like a rock star. Thanks! Just ran into the exact problem listed for one of our newly published internal pages. Googled, found your page, fixed problem, partied like a rock star. Thanks!

]]> By: Mickel http://www.tomrafteryit.net/isa-server-error-12217/#comment-95750 Mickel Fri, 19 Jan 2007 17:07:12 +0000 http://www.tomrafteryit.net/views/?p=96#comment-95750 Thanks a lot for your comment. You saved my day, man! Thanks a lot for your comment. You saved my day, man!

]]> By: Helder Mansur http://www.tomrafteryit.net/isa-server-error-12217/#comment-44532 Helder Mansur Thu, 19 Oct 2006 14:18:15 +0000 http://www.tomrafteryit.net/views/?p=96#comment-44532 I tried it in my isa server, but I can't edit http protocol under general tab. the "filtering" option isn't available for clicking. Any ideas???? isa server is 2004 sp1. I tried it in my isa server, but I can’t edit http protocol under general tab. the “filtering” option isn’t available for clicking. Any ideas???? isa server is 2004 sp1.

]]> By: Naveed http://www.tomrafteryit.net/isa-server-error-12217/#comment-5950 Naveed Fri, 10 Mar 2006 04:43:59 +0000 http://www.tomrafteryit.net/views/?p=96#comment-5950 yes tom i am confirm.. however i tried to uninstall isa 2004 but it dosent by saying ( failed to unregister vpn ) .. after that it start creating diffrent kinds of problem. so then i again install win 2003 and isa 2004... my problem is solved but i again facing problem .. my application event log always gets full with these events [The daily summary for day "03/08/2006" was not created. Use the source location 1001.470.4.0.2161.50 to report the failure.] plz guide me .. also tell me the best way to uninstall. Regards yes tom i am confirm.. however i tried to uninstall isa 2004 but it dosent by saying ( failed to unregister vpn ) .. after that it start creating diffrent kinds of problem. so then i again install win 2003 and isa 2004…

my problem is solved but i again facing problem .. my application event log always gets full with these events

[The daily summary for day "03/08/2006" was not created. Use the source location 1001.470.4.0.2161.50 to report the failure.]

plz guide me .. also tell me the best way to uninstall.

Regards

]]> By: Tom Raftery http://www.tomrafteryit.net/isa-server-error-12217/#comment-5879 Tom Raftery Thu, 09 Mar 2006 09:01:20 +0000 http://www.tomrafteryit.net/views/?p=96#comment-5879 Naveed, have you confirmed that ISA is causing the problem (i.e. does turning ISA off allow the graphics to display)? Naveed,

have you confirmed that ISA is causing the problem (i.e. does turning ISA off allow the graphics to display)?

]]> By: Naveed http://www.tomrafteryit.net/isa-server-error-12217/#comment-5871 Naveed Thu, 09 Mar 2006 07:03:24 +0000 http://www.tomrafteryit.net/views/?p=96#comment-5871 I am facing problem regarding mail.yahoo.com .. i am running isa 2004 on workstations mail.yahoo.com dosent display full graphics what should i do ? I am facing problem regarding mail.yahoo.com .. i am running isa 2004

on workstations mail.yahoo.com dosent display full graphics

what should i do ?

]]> By: Tom Raftery http://www.tomrafteryit.net/isa-server-error-12217/#comment-3257 Tom Raftery Fri, 23 Dec 2005 16:35:56 +0000 http://www.tomrafteryit.net/views/?p=96#comment-3257 Stuart, I'm afraid I'm a bit of an ISA Server novice as well - sorry I can't answer this one for you - if you figured it out, you might leave a comment here so others will find it... Thanks, Tom Stuart,

I’m afraid I’m a bit of an ISA Server novice as well - sorry I can’t answer this one for you - if you figured it out, you might leave a comment here so others will find it…

Thanks,

Tom

]]> By: Stuart Holding http://www.tomrafteryit.net/isa-server-error-12217/#comment-2943 Stuart Holding Thu, 08 Dec 2005 05:13:57 +0000 http://www.tomrafteryit.net/views/?p=96#comment-2943 Hi Tom, I am getting this error on an ASP.NET web site I have hosted in the DMZ behind my ISA Server 2004 Firewall. I have enabled high bit characters on the HTTP filter as you mentioned above but still seem to get the error (on pages where a carriage return character is likely to be appearing. Is there any other configuration settings I should be looking for (sorry, but I am a bit of an ISA novice) Hi Tom,

I am getting this error on an ASP.NET web site I have hosted in the DMZ behind my ISA Server 2004 Firewall. I have enabled high bit characters on the HTTP filter as you mentioned above but still seem to get the error (on pages where a carriage return character is likely to be appearing.
Is there any other configuration settings I should be looking for (sorry, but I am a bit of an ISA novice)

]]> By: Tom Raftery http://www.tomrafteryit.net/isa-server-error-12217/#comment-2546 Tom Raftery Wed, 16 Nov 2005 15:28:44 +0000 http://www.tomrafteryit.net/views/?p=96#comment-2546 Great Tyler, happy I was able to help someone else with this, Cheers, Tom Great Tyler,

happy I was able to help someone else with this,

Cheers,

Tom

]]> By: Tyler http://www.tomrafteryit.net/isa-server-error-12217/#comment-2545 Tyler Wed, 16 Nov 2005 14:58:39 +0000 http://www.tomrafteryit.net/views/?p=96#comment-2545 Thank you for this... I was running into an error with our client database, which had a lot of French names with ô's and various other accented characters. A quick Google search turned up your blog. Problem solved in under 1 minute. Cheers! Thank you for this… I was running into an error with our client database, which had a lot of French names with ô’s and various other accented characters.

A quick Google search turned up your blog. Problem solved in under 1 minute.

Cheers!

]]> By: Jon Hanna http://www.tomrafteryit.net/isa-server-error-12217/#comment-49 Jon Hanna Sun, 07 Nov 2004 14:46:20 +0000 http://www.tomrafteryit.net/views/?p=96#comment-49 I've come across a similar thing with the filter Microsoft offer for IIS. I suspect the original intention was to block attacks based on overlong UTF-8 encodings (I say a bit about this issue at http://www.hackcraft.net/xmlUnicode/#sect4220 and the Unicode Standard itself has information on it). However, it's relatively easy to get secure UTF-8 parsing right - and to know you have it right. There are also phishing opportunities with Internationalised URIs, but only a small subset of these would be prevented by this blocking (though if you let people create their own sections on your site then someone with control of http://example.net/ThisBit could have customers phished from http://example.net/ThisBit where the letter before "hisBit" is actually a Cyrillic letter Te, not the Latin letter "Tee"). Another reason for blocking is that we've only relatively recently had a standard on how to deal with characters in the range U+0080 and higher in URIs (although it's been clear for some time that the standard would use UTF-8 encoding escaped as per the existing URI character escape rules), and there is still some variation in practice and hence scope for difficulties. The ISA Server people may just have considered it best to block those who didn't know what they were doing and force them to stick to the US-ASCII range. I’ve come across a similar thing with the filter Microsoft offer for IIS. I suspect the original intention was to block attacks based on overlong UTF-8 encodings (I say a bit about this issue at http://www.hackcraft.net/xmlUnicode/#sect4220 and the Unicode Standard itself has information on it). However, it’s relatively easy to get secure UTF-8 parsing right - and to know you have it right.

There are also phishing opportunities with Internationalised URIs, but only a small subset of these would be prevented by this blocking (though if you let people create their own sections on your site then someone with control of http://example.net/ThisBit could have customers phished from http://example.net/ThisBit where the letter before “hisBit” is actually a Cyrillic letter Te, not the Latin letter “Tee”).

Another reason for blocking is that we’ve only relatively recently had a standard on how to deal with characters in the range U+0080 and higher in URIs (although it’s been clear for some time that the standard would use UTF-8 encoding escaped as per the existing URI character escape rules), and there is still some variation in practice and hence scope for difficulties. The ISA Server people may just have considered it best to block those who didn’t know what they were doing and force them to stick to the US-ASCII range.

]]>