IIS and new Service Provider v2.5

Martin B. Smith smithmb at ufl.edu
Tue Nov 6 11:18:53 EST 2012

Hi all,

At the University of Florida, we have a number of system administrators 
reporting that, after upgrading to v2.5 of the service provider 
software, their IIS sites are returning the following error:

ERROR Shibboleth.ISAPI [8236] isapi_shib: Attempt to spoof header (st:) 
was detected.

I've had this reported for:

   IIS 6 on Windows 2003 SP2 32 bit
   IIS 7 on Windows (unknown specific platform)
   IIS 7 on Windows Server 2008 R2, SP1 x64

As you can tell by the platform list, this problem has been reported by 
a number of different systems administrators on our campus. As I'm not 
administering any IIS machines myself, I don't have a minimal example to 
demonstrate or investigate the problem myself.

Has anyone else seen this, and if so, did you identify a root cause? I'm 
surprised as "st:" is not a header I've ever heard of, and it doesn't 
match any attribute that we vend to service providers.

Thanks in advance,
Martin B. Smith, Systems Administrator
smithmb at ufl.edu - (352) 273-1329
UF Information Technology, CNS/Open Systems Group
University of Florida

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20121106/38176fea/attachment.bin 

More information about the users mailing list