The other day, a web application developer contacted me and said that he was not able to upload files to the web server. He was using a web service to have the files uploaded to the application server and he was getting the below error –
The HTTP request was forbidden with client authentication scheme 'Anonymous'.
He had done his homework before coming to me and said that he was able to upload files of smaller size but when he would try larger files (around 40-50 MB) he was getting the above error. This meant that at least the upload module was working fine.
I asked the developer to reproduce the issue and I looked at the IIS logs generated for the website.
Here’s what I found –
GET /Rejected-By-UrlScan ~/TestService/TestProtocolService.svc 88 - ::1 - - 404 0 2 100
GET /Rejected-By-UrlScan ~/TestService/TestProtocolService.svc 88 - ::1 - - 404 0 2 1
Oh, looks like there is a URLSCAN module installed on IIS which is rejecting the requests.
For those who are not aware of URLSCAN – It is basically security extension that restricts the types of HTTP requests that IIS will process. By blocking specific HTTP requests, the UrlScan helps to prevent potentially harmful requests from reaching applications on the server. This was used in older versions but newer versions (IIS 7 and above) has a new feature called as Request Filtering.
But why are these requests getting rejected, these seem to be legitimate requests.
I looked into the URLSCAN logs (Default Location - C:\Windows\System32\inetsrv\urlscan\logs) to understand the reason -
POST /TestService/TestProtocolService.svc Rejected Content+length+too+long Content-Length: 89437188 30000000
Here you go – the content length is too long. It also provides the length of the content attempted to be uploaded as well. Pretty neat logging!
Jumped directly into the URLSCAN configuration file (Default Location - C:\Windows\System32\inetsrv\urlscan\UrlScan.ini) and found the below comment in the configuration file –
; - MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content-Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The default is 30000000.
The default max. allowed content length was 30 MB. We altered this configuration and increased the parameter to a higher value to fix the problem.
Disclaimer: The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion. Inappropriate comments will be deleted at the authors discretion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular.