FIM CM Troubleshooting: While Trying to Search for Cards to Print with the Bulk Client You May Get a HTTP 404 Error
Issue
Recently worked a case with FIM CM where the user was unable to search for requests with the Bulk Client to print smart cards.
After a few lengthy troubleshooting sessions I stumbled across Double Escapes.
Resolution
The resolution to the case was to add a “true” condition for double escapes in either the IIS server or the website for the FIM CM Portal.
Fix
There are two methods to implement the fix: manual or automatic.
Manually adding
Add
<requestFiltering allowDoubleEscaping="true">
to the following files:
Server Specific: |
applicationhost.config |
Site Specific: |
web.config |
Automatically changing the files
With the following command:
| Site Specific: | Appcmd set config "Default Web Site" /section:system.
webServer/Security/requestFiltering -allowDoubleEscaping:True |
| Site Specific w/ a location tag: | appcmd set config "Default Web Site" /section:system.
webServer/Security/requestFiltering -allowDoubleEscaping:True /commit:appHost |
Double escapes can become a security hole for an IIS server. In our case, the customer was not concerned with the security hole that allowing double escapes created since the server was internal to the company, only 2 people had access to it and the site was only accessed from a single Windows 7 client where the Bulk Client for FIM CM was installed
So what are Double Escapes?
Forgive me but I am not an IIS expert, but Double Escapes are the ability for an IIS server to interpret something like (FirstName LastName) into FirstName%20Lastname. Potentially this could give someone the ability to inject SQL code or java into a URL which could possibly lead to code execution.