Shibboleth SP IIS Error 2746
Lukas Hämmerle
lukas.haemmerle at switch.ch
Fri May 8 10:22:12 EDT 2015
Hello all
One of our SP admins is dealing with a hard IIS Shibboleth SP problem
that we also have not yet found a solution for. His setup is a Windows
Server with IIS 7.5 and the SP 2.5.4.
Installation went fine and the SP worked ok for some time. Then,
apparently an external developer installed his web service (and
potentially applied configuration changes to IIS). Now, authentication
fails after a user is sent back to the Service Provider with an "500 -
Internal server error" and the Shibboleth error message:
-------------------------------------------------------------------------
xmltooling::IOException
The system encountered an error at Fri May 08 16:07:19 2015
To report this problem, please contact the site administrator at
helpdesk at some.host.in.ch.
Please include the following message in any email:
xmltooling::IOException at
(https://some.host.in.ch/Shibboleth.sso/SAML2/POST)
Error reading request body from browser (2746).
-------------------------------------------------------------------------
As usual the last line of the error is the most interesting one. Error
2746 led us to believe that there might be an ISAPI extension/filter
installed which interferes with IIS. In the mail archives and with
Google we found that in particular the following two extensions/filter
might cause problems:
* "BlackBaud BBIS", see
https://shibboleth.net/pipermail/users/2013-August/011713.html
* "Telerik", because it contains RadCompression, see
https://shibboleth.net/pipermail/users/2012-January/002476.html
However, we have not found any of those extensions in that particular
installation.
We also have tried to:
* Completely remove and reinstall the Shibboleth SP
* Configure the IIS part manually as described on:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPWindowsIIS7Installer
* Move the Shib ISAPI filter to the front of the ordered ISAPI filter list
* Move the Shib ISAPI filter to the end of the ordered ISAPI filter list
* Move the Shib ISAPI Handler mapping to the front, then end or before
all the .* mappings.
All to no avail... So, we have pretty much run out of ideas except:
* Reinstalling the whole IIS (apparently quite cumbersome)
* Revert back to a previous backup of the VM (would mean redoing some
work)
* Find a machine that is set up similarly and compare the ISAPI
filters/handlers and their order
However, maybe someone has a better debugging idea or can extend that
list of known ISAPI filters/extensions that conflict with Shib.
Best Regards
Lukas
--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch
More information about the users
mailing list