You may see the following error while browsing the reports in SQL Server 2005 Reporting Service:
Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)
We have seen that this error surfaces when you do one of the following:
1. go to report manager.
2. go to Properties
3. click on Edit link for BUILTIN\Administrator
4. click on the New Role button
1. Open http://reports.abc123.com/Reports and log in
2. Click on Properties tab
3. Click on Edit next to the Administrator role
4. Click on the New Role button
SQL + SSRS + ISA(Microsoft ISA 2006 Firewall)
[MACHINE – SQL Server + SSRS + ISA ]
Microsoft SQL Server Reporting Services Version = 9.00.3054
OS Version: Windows 2003 Server, R2 Enterprise, x64 Edition
1. Start the ISA Server Management tool.
2. Expand ServerName, where ServerName is the name of your ISA Server computer.
3. Click Firewall Policy, click the Web publishing rule that you created to publish the SQL Server computer for access by SQL Reporting Service users, and then click Edit Selected Rule.
4. Click the Traffic tab, click Filtering, and then click Configure HTTP.
5. Click to clear the “verify normalization” check box, and then click OK two times.
6. Click Apply to update the firewall policy, and then click OK.
Select Verify normalization blocks requests with URLs containing escaped characters after normalization.
Note: Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.
Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid.
When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.
Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.