Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)

  • Article

Problem:  

          You may see the following error while browsing the reports in SQL Server 2005 Reporting Service:

Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)

          We have seen that this error surfaces when you do one of the following:

          A.

1.    go to report manager.

2.    go to Properties

3.    click on Edit link for BUILTIN\Administrator

4.    click on the New Role button

          B.

1.    Open https://reports.abc123.com/Reports and log in

2.    Click on Properties tab

3.    Click on Edit next to the Administrator role

4.    Click on the New Role button

Typical Environment:

SQL + SSRS + ISA(Microsoft ISA 2006 Firewall)

                        [MACHINE - SQL Server + SSRS + ISA  ]

                                         Microsoft SQL Server Reporting Services Version = 9.00.3054

                                         OS Version: Windows 2003 Server, R2 Enterprise, x64 Edition

Resolution:

1. Start the ISA Server Management tool.

           2. Expand ServerName, where ServerName is the name of your ISA Server computer.

 3. Click Firewall Policy, click the Web publishing rule that you created to publish the SQL Server   computer for access by SQL Reporting Service users, and then click Edit Selected Rule.

                     4. Click the Traffic tab, click Filtering, and then click Configure HTTP.

                     5. Click to clear the "verify normalization" check box, and then click OK two times.

                     6. Click Apply to update the firewall policy, and then click OK.

Additional Information:

Select Verify normalization blocks requests with URLs containing escaped characters after normalization.

Note:   Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for https://myserver/My%20Dir/My%20File.htm is the same as a request for https://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.

Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid.

When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.

Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.

*Source: https://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx.