Install/Configuration/Run Errors

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 11:38:59 AM1/12/12

to us...@shibboleth.net

Hello All,

I am unable to get Shibboleth configured on my IIS box. I get as far as being sent to authenticate, and then I get IIS 500 errors.

I am not sure what information I need to provide to get help with this issue. I have TeamViewer installed for anyone who is an expert with Shibboleth and IIS.

IIS Box Configuration:

· Win2008 64bit

· IIS 7

· NLB (using Microsoft NLB and two physical boxes)

· IIS uses Shared Configuration

Any Help is greatly appreciated!

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

image001.jpg

Cantor, Scott

unread,

Jan 12, 2012, 12:09:30 PM1/12/12

to us...@shibboleth.net

On 1/12/12 11:38 AM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>I am unable to get Shibboleth configured on my IIS box. I get as far as
>being sent to authenticate, and then I get IIS 500 errors.

If you get a 500 from the handler on the way back, that usually means the
SP isn't fully installed into IIS because the IIS APIs don't do what
they're asked to do by the installer. Usually it screws up the script
mapping from *.sso to the ISAPI extension DLL or fails to set the security
needed to allow it to run. The wiki includes all of the microsurgery steps
for each IIS version for integrating each piece into the server.

The main issue is that IIS requires the script mapping to be applied
either globally or at the site level, and doesn't appear to consistently
require this. Sometimes it's one and sometimes it's the other. It's also
often very difficult to figure out what script mappings are actually in
effect because of inheritance between the levels. I usually start by
creating the *.sso mapping globally and trying that. If that doesn't work,
I remove it, and try creating one on the site.

In addition, IIS sometimes hides detailed errors from the client and can
be told to provide more than just generic error messages.

Lastly, there's the possibility of a 32/64 bit mismatch but you wouldn't
get redirected to the IdP by the filter in that case, so it doesn't sound
applicable.

>I am not sure what information I need to provide to get help with this
>issue.

There's nothing you can provide. When it doesn't work, there's nothing you
can do but try applying the integration steps manually or at least
reviewing the IIS internals against what they need to be.

-- Scott

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

Cantor, Scott

unread,

Jan 12, 2012, 12:16:01 PM1/12/12

to us...@shibboleth.net

Forgot to add that this is why the documentation starts with checking
/Shibboleth.sso/Status. That runs the handler extension and confirms that
the most likely to be mis-installed part is working. You can't get a 500
from the SAML handlers if that one works.

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 3:08:24 PM1/12/12

to Shib Users

I have completely uninstalled Shib and reinstalled using the step by step of this guide...

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWindowsIIS7Installer

When I try to go to this URL:

http://catts.uchicago.edu/Shibboleth.sso/status

I get Error: 500

Event Viewer Says:

Extension mode startup not possible, is the DLL loaded as a filter?

I have verified permissions on the directory.

I have verified configuration, and I have even added it to the local site.

I have tried removing it from the main site and added it to the local site exclusively.

Nothing seems to work.

What I get:

-Web Site Loads

-Navigate to “/secure” to initiate Shibboleth

-I get the login screen

-I login

-I get Server Error: 500 from URL: http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST

Where do I go from here?

Roger Johnson

University of Chicago

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 3:48:28 PM1/12/12

to Shib Users

I have TeamViewer if anyone is available to look at this issue.

Roger Johnson

University of Chicago

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 8:09:50 PM1/12/12

to Shib Users

Any Ideas?

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 9:07:52 PM1/12/12

to Shib Users

I am finally getting some logs:

2012-01-12 19:53:55 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Error reading request body from browser (2746).

2012-01-12 19:55:23 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Error reading request body from browser (2746).

2012-01-12 19:58:39 ERROR Shibboleth.StatusHandler [3940] isapi_shib_extension: status handler request blocked from invalid address (128.135.138.53)

2012-01-12 19:58:45 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Shibboleth handler invoked at an unconfigured location.

2012-01-12 19:58:50 ERROR Shibboleth.StatusHandler [3940] isapi_shib_extension: status handler request blocked from invalid address (128.135.138.53)

2012-01-12 19:59:53 ERROR Shibboleth.StatusHandler [3940] isapi_shib_extension: status handler request blocked from invalid address (128.135.138.53)

2012-01-12 20:00:05 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Error reading request body from browser (2746).

2012-01-12 20:00:15 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Shibboleth handler invoked at an unconfigured location.

2012-01-12 20:00:20 ERROR Shibboleth.Listener [3940] isapi_shib_extension: remoted message returned an error: Invalid HTTP method (GET).

2012-01-12 20:00:20 ERROR Shibboleth.ISAPI [3940] isapi_shib_extension: Invalid HTTP method (GET).

2012-01-12 20:01:05 ERROR Shibboleth.StatusHandler [3940] isapi_shib_extension: status handler request blocked from invalid address (128.135.138.53)

2012-01-12 20:02:04 ERROR Shibboleth.StatusHandler [3940] isapi_shib_extension: status handler request blocked from invalid address (128.135.101.229)

Cantor, Scott

unread,

Jan 12, 2012, 9:37:12 PM1/12/12

to us...@shibboleth.net

On 1/12/12 9:07 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>I am finally getting some logs:

It appears to be functioning in part and your status ACL isn't allowing
access, which is simple to fix, and worth getting working to make sure the
handler's running and indicating things are working.

I think in other respects you may have a problem with IIS suppressing the
error information being reported by the SP because of the friendly error
setting it has. At least that's my guess.

I think you have a mixture of issues and possibly stale information that
isn't even relevant. I'd clear all logs, get the Status acl fixed and see
if that works, and then run fresh tests so that a complete log trace of
one login attempt is available.

Cantor, Scott

unread,

Jan 12, 2012, 11:01:37 PM1/12/12

to us...@shibboleth.net

On 1/12/12 3:48 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>When I try to go to this URL:
>http://catts.uchicago.edu/Shibboleth.sso/status
>
>I get Error: 500

Some points:

That isn't the correct Status URL. URLs are not case insensitive.

The error is because the URL is wrong, and the fact that you get a generic
500 error means, as I already said, that IIS is suppressing errors from
the SP. You have to change the Error Pages feature settings to fix that. I
have now added this to the IIS7 page in the wiki as an additional bullet
point.

>
>Event Viewer Says:
>Extension mode startup not possible, is the DLL loaded as a filter?

I don't think that's still relevant with the other logs you posted, but it
would indicate the filter is not really configured.

>What I get:
>-Web Site Loads
>-Navigate to ³/secure² to initiate Shibboleth
>-I get the login screen
>-I login
>-I get Server Error: 500 from URL:
>http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST
>
>Where do I go from here?

Fix the error page setting so the actual error is visible and/or look at
all of the logs to determine what the actual error is.

Johnson, Roger [BSD] - HSD

unread,

Jan 12, 2012, 11:12:07 PM1/12/12

to Shib Users

How do you clear the logs? I tried deleting them and get "file is in
use". I tried stopping the Shibboleth Service and it still doesn't let
me delete the files.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Thursday, January 12, 2012 8:37 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 12, 2012, 11:32:29 PM1/12/12

to us...@shibboleth.net

On 1/12/12 11:12 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>How do you clear the logs? I tried deleting them and get "file is in

>use". I tried stopping the Shibboleth Service and it still doesn't let
>me delete the files.

Depends on which log. There are two processes and two logs. Stopping shibd
doesn't have anything to do with IIS or vice versa.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 10:06:19 AM1/13/12

to Shib Users

More Progress...

Paul Caskey solved my 403 problem by letting me know to add my IP
address to the Status attribute. The status page works now.

The following link works. It takes me to the University Login Page
http://catts.uchicago.edu/Shibboleth.sso/Login

Once I login, I get forwarded to the following URL:
http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST

Here I get Sever Error: 500

If I manually navigate to:
http://catts.uchicago.edu/Shibboleth.sso/Logout

I am able to successfully logout.

Where do I go from here?

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Thursday, January 12, 2012 10:32 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

>me delete the files.

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 13, 2012, 11:57:36 AM1/13/12

to us...@shibboleth.net

On 1/13/12 10:06 AM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:
>

>Paul Caskey solved my 403 problem by letting me know to add my IP
>address to the Status attribute. The status page works now.

I told you the same thing. The Status handler is documented so that people
who experience an issue and don't understand how to fix it can find out
exactly what settings to change.

>Once I login, I get forwarded to the following URL:
>http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST
>
>Here I get Sever Error: 500

I told you what to do next (and documented it in the wiki page so others
wouldn¹t get caught by the same IIS issue).

>If I manually navigate to:
>http://catts.uchicago.edu/Shibboleth.sso/Logout
>
>I am able to successfully logout.

It's just acting as a no-op and treating it as a logout because the end
result is still that you're not logged in since you weren't logged in when
you accessed it. It's more evidence that the issue is simply IIS
suppressing the errors and you not checking the log for whatever it says
the actual error is.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 4:14:42 PM1/13/12

to Shib Users

Hey Scott,

What is the direct URL to that link. I'm all about the self-help and I have using the following documentation.
https://wiki.shibboleth.net/confluence/display/SHIB2/Troubleshooting

Reading through your previous responses, I did see your suggestion. Sorry about the miss.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 10:58 AM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

Importance: High

-- Scott

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 13, 2012, 4:22:09 PM1/13/12

to us...@shibboleth.net

On 1/13/12 4:14 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:
>

>What is the direct URL to that link. I'm all about the self-help and I
>have using the following documentation.
>https://wiki.shibboleth.net/confluence/display/SHIB2/Troubleshooting

I don't know which link you're asking for. If you mean the Status handler
documentation, try searching the wiki for "Status handler".

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 4:32:08 PM1/13/12

to Shib Users

Sorry. I'm referring to the error I referenced in the following:
More Progress...

>Paul Caskey solved my 403 problem by letting me know to add my IP
address to the Status attribute. The status page works now.

>The following link works. It takes me to the University Login Page
http://catts.uchicago.edu/Shibboleth.sso/Login

>Once I login, I get forwarded to the following URL:
>http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST
>Here I get Sever Error: 500

>If I manually navigate to:
>http://catts.uchicago.edu/Shibboleth.sso/Logout
>I am able to successfully logout.

>Where do I go from here?

You mentioned that the resolution to my problem is documented. Where is
it documented?

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 3:22 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 4:37:52 PM1/13/12

to Shib Users

To further the question:

How do I turn the IIS Error 500 from the URL
(http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST) into something
productive in troubleshooting.

The Shib logs do not record anything and Error Logs are not helpful.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]

On Behalf Of Johnson, Roger [BSD] - HSD
Sent: Friday, January 13, 2012 3:32 PM
To: Shib Users
Subject: RE: Install/Configuration/Run Errors

Cantor, Scott

unread,

Jan 13, 2012, 4:45:26 PM1/13/12

to us...@shibboleth.net

On 1/13/12 4:37 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>To further the question:

>
>How do I turn the IIS Error 500 from the URL
>(http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST) into something
>productive in troubleshooting.

You change IIS' Error Page behavior from Custom to Detailed. While it is
not my job to document IIS, I briefly outlined this on the IIS7
installation page subordinate to the rest of the Windows installation
material.

But it will not help you. The error will be generic and not specific to
the problem.

>The Shib logs do not record anything and Error Logs are not helpful.

There is absolutely no way the shibd log doesn't say what the error is if
it happens that late in the process.

--- Scott

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 4:48:14 PM1/13/12

to Shib Users

Scott,

Are you available to TeamViewer Into my box?

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 3:45 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

--- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 4:50:47 PM1/13/12

to Shib Users

Found a few lines after rebooting and trying again:

2012-01-13 08:43:06 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Error reading request body from browser (2746).

2012-01-13 08:50:03 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Error reading request body from browser (2746).

2012-01-13 08:52:52 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Error reading request body from browser (2746).

2012-01-13 08:52:57 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Error reading request body from browser (2746).

2012-01-13 08:55:38 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Error reading request body from browser (2746).

2012-01-13 09:16:28 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:

Shibboleth handler invoked at an unconfigured location.

2012-01-13 09:17:22 ERROR Shibboleth.Listener [5436]

isapi_shib_extension: remoted message returned an error: Invalid HTTP
method (GET).

2012-01-13 09:17:22 ERROR Shibboleth.ISAPI [5436] isapi_shib_extension:
Invalid HTTP method (GET).
2012-01-13 15:48:28 ERROR Shibboleth.Listener [1960]

isapi_shib_extension: remoted message returned an error: Invalid HTTP
method (GET).

2012-01-13 15:48:28 ERROR Shibboleth.ISAPI [1960] isapi_shib_extension:
Invalid HTTP method (GET).
2012-01-13 15:49:09 ERROR Shibboleth.ISAPI [1960] isapi_shib_extension:

Error reading request body from browser (2746).

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 3:45 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

--- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 13, 2012, 4:57:50 PM1/13/12

to us...@shibboleth.net

On 1/13/12 4:50 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>Found a few lines after rebooting and trying again:

You are using the wrong log. The native.log is not relevant to this,
shibd.log is.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 5:02:57 PM1/13/12

to Shib Users

For the same time period in the "Shibd.log" file it has:

2012-01-13 15:10:21 INFO Shibboleth.Listener [1]: detected socket
closure, shutting down worker thread

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 3:58 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 13, 2012, 5:13:18 PM1/13/12

to us...@shibboleth.net

On 1/13/12 5:02 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>For the same time period in the "Shibd.log" file it has:

>
>2012-01-13 15:10:21 INFO Shibboleth.Listener [1]: detected socket
>closure, shutting down worker thread

You've stumped me then. You can try getting the error page to pass through
and see if it's a clue, but the other log information referring to the
inability to get the POST body combined with nothing in the real log
suggests the problem is with the client.

If it can't read the POST data, that would explain the symptoms, but
unless there's some kind of firewall or proxy interfering between the
browser and the server, I don¹t know how to address such a problem. I
assumed that those messages were extraneous, perhaps evidence that you
were trying to debug it by accessing the /SAML2/POST endpoint directly
with a GET.

You may want to try running a test with a browser on the same host, or try
alternative browsers, and see if anything changes.

Johnson, Roger [BSD] - HSD

unread,

Jan 13, 2012, 10:06:22 PM1/13/12

to Shib Users

OK New Knowledge:
When installing Shibboleth, DISABLE SHARED CONFIGURATION

After I did that, Everything installed without issue...

BUT, I am now getting this after logging in:
2012-01-13 21:04:08 ERROR Shibboleth.ISAPI [4696] isapi_shib_extension: Error reading request body from browser (2746).

It shows under IIS as error 500...

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net] On Behalf Of Cantor, Scott
Sent: Friday, January 13, 2012 4:13 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 13, 2012, 11:38:50 PM1/13/12

to Shib Users, Shib Users

On Jan 13, 2012, at 10:07 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu> wrote:

> OK New Knowledge:
> When installing Shibboleth, DISABLE SHARED CONFIGURATION
>
> After I did that, Everything installed without issue...

I don't know what that means but if it's explained it can be documented.

> BUT, I am now getting this after logging in:
> 2012-01-13 21:04:08 ERROR Shibboleth.ISAPI [4696] isapi_shib_extension: Error reading request body from browser (2746).

That's what you were getting, so nothing has changed. The IIS module is not reading the form submission necessary to do its job. I can't fix that because I don't have an explanation. Hundreds of servers of various versions do not exhibit that behavior, but a handful have reported that error and I don't know of any solution that has ever shown itself. If it works, it works, if not, it never seems to. It may be an obscure difference in configuration somewhere, but there isn't any known reason for it.

It's in the plans to add debugging log entries to the entire read loop but that's also a future change. However if you're willing to drop in a modified file, I can try and find some time this weekend to patch in some logging and do a build to try for gathering additional detail.

> It shows under IIS as error 500...

All errors from the SP are 500 errors.

I told you why it reports that and documented the way to address that, but changing the error reporting outcome doesn't change the error itself unfortunately.

Johnson, Roger [BSD] - HSD

unread,

Jan 14, 2012, 12:49:30 PM1/14/12

to Shib Users

I am willing to try anything you propose or install any software you
recommend.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 14, 2012, 4:26:48 PM1/14/12

to us...@shibboleth.net

For the list archive's benefit, a number of tests and additional debug
logging indicate this particular server is reporting no data available
from the form POST to the IIS extension, so we're not really sure what the
cause is.

Roger is planning to try this on a new VM with a similar config to see
what happens.

Similar reports have popped up once in a while on the list, and I don't
know of any solutions when they do, but possibly we'll track something
down.

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 1:02:02 PM1/18/12

to Shib Users

Hello All,

I built a VM to isolate the NLB from the equation. It appears that I am
still having the problem.

------------------------------------------------------------------------
------------------------------------------
xmltooling::IOException

The system encountered an error at Wed Jan 18 11:45:25 2012

To report this problem, please contact the site administrator at
roge...@uchicago.edu.

Please include the following message in any email:

xmltooling::IOException at
(http://catts.uchicago.edu/Shibboleth.sso/SAML2/POST)

Error reading request body from browser (0).

------------------------------------------------------------------------
-------------------------------------------

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott

Sent: Saturday, January 14, 2012 3:27 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 18, 2012, 2:03:30 PM1/18/12

to us...@shibboleth.net

On 1/18/12 1:02 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:
>

>I built a VM to isolate the NLB from the equation. It appears that I am
>still having the problem.

Is this a totally vanilla IIS, or is it modified at all in some way
similar to your production site?

The one thing I had a thought about was you asked at one point if some
kind of URL translation step could be responsible, and I said no, but
there is one way it could. If there are other IIS filters in the site, if
any of those runs before the SP's filter and it consumes the POST data for
some purpose, that will prevent the SP filter from seeing the data. I
think it would probably manifest exactly like it did when we debugged it.

Are there any other filters there? Can you adjust the order?

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 2:25:15 PM1/18/12

to Shib Users

There is a URL Rewrite module that consumes all posts to determine if it
is a dynamic URL or static URL.

The VM boxes is a flat IIS install. No other modules, but it is the Web
Edition of Win2008. I'm wiped that out and I am now trying the Standard
Edition now.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Wednesday, January 18, 2012 1:04 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 3:41:52 PM1/18/12

to Shib Users

Clean install with no secondary modules.
Box is NOT joined to Domain.

Error: isapi_shib_extension: Error reading request body from browser
(2746)

Any Ideas?

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]

On Behalf Of Johnson, Roger [BSD] - HSD
Sent: Wednesday, January 18, 2012 1:25 PM
To: Shib Users
Subject: RE: Install/Configuration/Run Errors

Cantor, Scott

unread,

Jan 18, 2012, 3:53:02 PM1/18/12

to us...@shibboleth.net

On 1/18/12 3:41 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>Clean install with no secondary modules.

>Box is NOT joined to Domain.
>
>Error: isapi_shib_extension: Error reading request body from browser
>(2746)
>
>Any Ideas?

No. I can't explain how everything you're trying fails, other than to say
something in your environment has to be involved. Not unless others are
suddenly seeing this problem on every server they install, and I know
that's not the case here at OSU. IIS is very prevalent here.

I don't have time to do a straight install at the moment, but perhaps you
can find a fresh set of eyes that has done an install and see if there's
some sort of documentation issue leading you down a bad path somewhere...

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 4:25:13 PM1/18/12

to Shib Users

Could this be a problem with our Authentication Server? Is that even
possible? I know it is working with Apache servers.

On my fresh install box, with no add-ins, no domain, no network
in-between, and no other sites, it doesn't work. I'm sure it's not IIS
because as Scott stated, OSU has several and they all work fine. I have
tried Win2008 Web Edition, Win2008 R2 Web Edition, and Win2008 R2
Standard Edition.

Sorry, I know I'm just shooting in the dark to figure this out.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Wednesday, January 18, 2012 2:53 PM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors

Importance: High

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 18, 2012, 4:30:40 PM1/18/12

to us...@shibboleth.net

On 1/18/12 4:25 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>Could this be a problem with our Authentication Server? Is that even

>possible? I know it is working with Apache servers.

It is not your IdP. Definitely, absolutely, totally impossible.

>On my fresh install box, with no add-ins, no domain, no network
>in-between, and no other sites, it doesn't work. I'm sure it's not IIS
>because as Scott stated, OSU has several and they all work fine. I have
>tried Win2008 Web Edition, Win2008 R2 Web Edition, and Win2008 R2
>Standard Edition.
>
>Sorry, I know I'm just shooting in the dark to figure this out.

I think it has to be some step you're undertaking that is either
misdocumented or that you're just doing by rote, but it can't be
coincidence that yours keep failing.

I think I mispoke earlier also...the POST issue would be involving ISAPI
extensions, not the filters. I would look for some kind of extension via
script mapping or something like that that is set to run globally or ahead
of the SP extension for .sso requests. That's what seems to be most likely
to be consuming the POST. I said filter, but that's wrong, filters do not
have access to the POST data in general.

I would say that something in the IIS setup is getting in there are
fouling it up, maybe something unusual that you install by default and
others don't.

Caskey, Paul

unread,

Jan 18, 2012, 8:41:01 PM1/18/12

to Shib Users

Roger-

Could this possibly be related to a web proxy messing with your POST data? Do you all even use a web proxy?

Are there any load balancers or any other security devices or software in between you and IIS?

When all other explanations fail, blame the security stuff. :)

________________________________
From: users-...@shibboleth.net [users-...@shibboleth.net] on behalf of Johnson, Roger [BSD] - HSD [roge...@uchicago.edu]
Sent: Wednesday, January 18, 2012 3:25 PM

To: Shib Users
Subject: RE: Install/Configuration/Run Errors

Could this be a problem with our Authentication Server? Is that even

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 9:24:52 PM1/18/12

to Shib Users

Hey,

There is no proxy. In fact, the box has a LIVE IP Address.

I've tried to eliminate all possibilities.

Things I have removed as issues:
- Domain (fresh install - not joined to domain)
- Domain Group Policy (no domain policy applied)
- Control Access (removed win2008 advanced security)
- Account Shibboleth runs under (set to run as local administrator)
- URL Rewrite module (removed)
- Changed from Win2008 Web Edition to Win2008 Standard Edition
- IIS Pool account running under Local Admin account

I am currently working on a box that isn't joined to the domain, has no
group policies, has access control turned off, and has all IIS features
installed.

I'm still not able to get it to work.

The weird part is, it works on my local Windows7 box but I can't get it
to work on Windows 2008.

I AM WILLING TO TRY ANYTHING! I DO HAVE MY SOUL TO SELL.

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 9:32:44 PM1/18/12

to Shib Users

>From Native_Warn.log:
2012-01-18 18:26:03 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
Error reading request body from browser (2746).
2012-01-18 18:26:06 ERROR Shibboleth.Listener [2764]

isapi_shib_extension: remoted message returned an error: Invalid HTTP
method (GET).

2012-01-18 18:26:06 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
Invalid HTTP method (GET).

FROM native.log:
2012-01-18 18:26:03 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
Error reading request body from browser (2746).
2012-01-18 18:26:06 ERROR Shibboleth.Listener [2764]

isapi_shib_extension: remoted message returned an error: Invalid HTTP
method (GET).

2012-01-18 18:26:06 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
Invalid HTTP method (GET).

Roger Johnson

Caskey, Paul

unread,

Jan 18, 2012, 9:41:40 PM1/18/12

to Shib Users

What browser are you using when you test it?

Sorry for what might seem to be silly questions - just trying to help...

________________________________
From: users-...@shibboleth.net [users-...@shibboleth.net] on behalf of Johnson, Roger [BSD] - HSD [roge...@uchicago.edu]

Sent: Wednesday, January 18, 2012 8:32 PM

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 9:44:08 PM1/18/12

to Shib Users

Its an ASP.NET site, but the /secure directory (which is what Shibboleth
is reacting too) is a single ASP.NET page that simply returns to the
page all the headers. Later it will create a FormsSession with the user
identity returned by Shibboleth.

Caskey, Paul

unread,

Jan 18, 2012, 9:52:18 PM1/18/12

to Shib Users

But when you access it, are you by any chance only using IE?

I was just curious if you had tried another browser - firefox or whatever.

________________________________
From: users-...@shibboleth.net [users-...@shibboleth.net] on behalf of Johnson, Roger [BSD] - HSD [roge...@uchicago.edu]

Sent: Wednesday, January 18, 2012 8:44 PM

Cantor, Scott

unread,

Jan 18, 2012, 9:54:44 PM1/18/12

to Shib Users

> >From Native_Warn.log:
> 2012-01-18 18:26:03 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
> Error reading request body from browser (2746).
> 2012-01-18 18:26:06 ERROR Shibboleth.Listener [2764]
> isapi_shib_extension: remoted message returned an error: Invalid HTTP
> method (GET).
> 2012-01-18 18:26:06 ERROR Shibboleth.ISAPI [2764] isapi_shib_extension:
> Invalid HTTP method (GET).

The latter two are from your reloading the /SAML2/POST page after IIS returns the initial 500 error, and that turns into a GET, which is invalid for that endpoint. That's why they're three seconds later. The only important error is the POST failing. Error 0x2746 is a connection reset error which happens because the client has closed the connection to the server by the time the extension asks for the data. That in turn is because something has already read and swallowed the POST, leaving no data for the SP to read, so when it asks for the data, it's gone, and the client has already gone away.

All of that is very clear from the tracing we did. What isn't clear is what's swallowing the POST, or why your IIS installs seem to be consistently doing this.

Something we didn't try, though, was switching to 32-bit. You could try doing an install with the 32-bit version. You would need to tell IIS to use an App Pool that supports 32-bit .NET processes.

David Langenberg

unread,

Jan 18, 2012, 10:13:07 PM1/18/12

to Shib Users

Hi Paul

We've tried both IE and Google Chrome. Mac, Windows makes no difference.

David Langenberg
Identity Management
The University of Chicago

Johnson, Roger [BSD] - HSD

unread,

Jan 18, 2012, 10:13:54 PM1/18/12

to Shib Users

I think my metadata is messed up. I'm getting a new error:
Error Message: No peer endpoint available to which to send SAML response

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Wednesday, January 18, 2012 8:55 PM
To: Shib Users
Subject: RE: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Johnson, Roger [BSD] - HSD

unread,

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]

On Behalf Of Johnson, Roger [BSD] - HSD

Cantor, Scott

unread,

Jan 18, 2012, 11:14:06 PM1/18/12

to Shib Users

> I also tried moved the Shibboleth ISAPI filter to the top of the pecking
> order so it would get all posts first.

It's the extension role that matters, I was speaking incorrectly earlier. The filter part can't see POST data. If something is affecting it inside IIS, it's a script mapping, probably a wildcard. But no default IIS install includes anything like that that interferes.

Johnson, Roger [BSD] - HSD

unread,

Jan 19, 2012, 12:29:05 PM1/19/12

to Shib Users

!!!! GOT IT !!!!

After over 100 hours of troubleshooting, I found the issue!

I use a development tool called Telerik (very popular).

They have a module called "RadCompression". Removing this functionality
allows Shibboleth to work.

SO, the problem is solved for now BUT, many developers will not be OK
with removing the Compression module. This should be analyzed further
to come up with a work around.

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott
Sent: Wednesday, January 18, 2012 10:14 PM
To: Shib Users
Subject: RE: Install/Configuration/Run Errors

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 19, 2012, 12:53:33 PM1/19/12

to us...@shibboleth.net

On 1/19/12 12:29 PM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

>
>They have a module called "RadCompression". Removing this functionality
>allows Shibboleth to work.
>
>SO, the problem is solved for now BUT, many developers will not be OK
>with removing the Compression module. This should be analyzed further
>to come up with a work around.

I don't know that there is one, once the data's gone, it's pretty much
gone. But you're certainly welcome to file a bug on it. Glad you were able
to track it down. Can I assume you don't need the VM test account now?

Johnson, Roger [BSD] - HSD

unread,

Jan 19, 2012, 1:16:51 PM1/19/12

to Shib Users

Thanks for Everyone's Help! There were several issues that you helped
me solve and I appreciate all the effort, patients and time.

I will not need the VM anymore, but it was VERY helpful to compare
configurations.

Just to be clear:
-NLB not the problem
-Shared Configuration not the problem
-Server Edition Doesn't Matter (web, standard, enterprise)
-.NET version doesn't matter

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of Cantor, Scott

Sent: Thursday, January 19, 2012 11:54 AM
To: us...@shibboleth.net
Subject: Re: Install/Configuration/Run Errors
Importance: High

-- Scott

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

David Gersic

unread,

Jan 19, 2012, 2:12:47 PM1/19/12

to Shib Users

>>> On 1/19/2012 at 11:29 AM, "Johnson, Roger [BSD] - HSD" <roge...@uchicago.edu>
wrote:

> !!!! GOT IT !!!!
>
> After over 100 hours of troubleshooting, I found the issue!
>
> I use a development tool called Telerik (very popular).
>
> They have a module called "RadCompression". Removing this functionality
> allows Shibboleth to work.

http://www.telerik.com/help/aspnet-ajax/radcompression.html

So this thing messes with the data being transmitted. I can see how that would conflict with Shibboleth. Way back at the start, wasn't the question asked "is this a vanilla IIS install"? It seems to me that if you're adding this to it, it's no longer a vanilla IIS install.

> SO, the problem is solved for now BUT, many developers will not be OK
> with removing the Compression module. This should be analyzed further
> to come up with a work around.

Workaround: Don't use "RadCompression".

It might be a good idea to add this to the documentation for the next guy that runs in to it though.

Johnson, Roger [BSD] - HSD

unread,

Jan 19, 2012, 2:16:44 PM1/19/12

to Shib Users

Hey David,

RadCompression ISN'T A IIS MODULE. Its an application setting.

So, YES, it was a vanilla IIS Install

Roger Johnson
University of Chicago

-----Original Message-----
From: users-...@shibboleth.net [mailto:users-...@shibboleth.net]
On Behalf Of David Gersic
Sent: Thursday, January 19, 2012 1:13 PM
To: Shib Users
Subject: RE: Install/Configuration/Run Errors

http://www.telerik.com/help/aspnet-ajax/radcompression.html

This email is intended only for the use of the individual or entity to

which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to
which it is addressed and may contain information that is privileged and
confidential. If the reader of this email message is not the intended
recipient, you are hereby notified that any dissemination, distribution,
or copying of this communication is prohibited. If you have received
this email in error, please notify the sender and destroy/delete all
copies of the transmittal. Thank you.

This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you.

Cantor, Scott

unread,

Jan 19, 2012, 2:30:25 PM1/19/12

to us...@shibboleth.net

On 1/19/12 2:12 PM, "David Gersic" <dge...@niu.edu> wrote:
>
>So this thing messes with the data being transmitted. I can see how that
>would conflict with Shibboleth. Way back at the start, wasn't the
>question asked "is this a vanilla IIS install"? It seems to me that if
>you're adding this to it, it's no longer a vanilla IIS install.

Anything able to mess with the HTTP pipeline of messages that it has no
need to be seeing is definitely not a vanilla install. But I found it odd
that the description of the module was that it compressed responses (they
misstate that as requests, but it seems to mean respones to form posts).
That doesn't make sense if it's blowing up the request too, but I think
the upshot is they mess with something that doesn't work well with the
legacy ISAPI.

I completely favor getting an IIS7 module written, it will solve a lot of
problems, including supporting server variables instead of headers for
data.

It's hard to grasp that Windows 2003, and thus IIS6, is 7-8 years old. It
used to be impossible to imagine dropping native ISAPI, but it's not so
crazy now.

-- Scott

Reply all

Reply to author

Forward