iis security: We have an ActiveX CAB file that is part of an Active
Server Page web-based application. It worked fine on
Server 2000 both in HTTP and HTTPS. On migrating it to
Server 2003, it still works on HTTP however it will not
download under HTTPS to the browser.

The browser is IE 6.0 and has been configured with Low
security level to trusted sites. The server has been
loaded as a trusted site in the client browser.

From the server if I change the codebase of the <object>
tag to start "http://" the object downloads, installs, and
runs just fine. I clear the object from the browser,
change the <object> tag to start "https://" (Absolutely no
other changes were made) and the browser puts the empty
box on the screen, showing the placeholder for the object,
but does not download it.

Again, this exact same code works under Server 2000 in
both HTTP and HTTPS.

BTW, I already have the workaround of using HTTP, but then
we get the pop-up warning that we are loading both secure
and unsecure objects into the page.

Any help would be greatly appreciated.

Thanks,

It is not clear whether the problem is:
1. The server sends the CAB file to the client, but the client is rejecting
it for some reason
2. The server is not sending the CAB file.

To distinguish between the two, make a NetMon trace (this is included with
Windows Server 2003 as a component) between the server and client on two
different machines.

If you see the CAB file being sent via SSL back to the client, the problem
is somewhere on the client. If the CAB file is not being sent via SSL, then
you want to check out the IIS Web logs at
%SYSTEMROOT%\System32\LogFiles\HTTPERR\*.log and
%SYSTEMROOT%\System32\LogFiles\W3SVC#\*.log

I have found instances with IE6 where if it is configured to "do not cache
secure pages", it refuses to display a HTTPS URL (even though it downloaded
it).

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
We have an ActiveX CAB file that is part of an Active
Server Page web-based application. It worked fine on
Server 2000 both in HTTP and HTTPS. On migrating it to
Server 2003, it still works on HTTP however it will not
download under HTTPS to the browser.

The browser is IE 6.0 and has been configured with Low
security level to trusted sites. The server has been
loaded as a trusted site in the client browser.

From the server if I change the codebase of the <object>
tag to start "http://" the object downloads, installs, and
runs just fine. I clear the object from the browser,
change the <object> tag to start "https://" (Absolutely no
other changes were made) and the browser puts the empty
box on the screen, showing the placeholder for the object,
but does not download it.

Again, this exact same code works under Server 2000 in
both HTTP and HTTPS.

BTW, I already have the workaround of using HTTP, but then
we get the pop-up warning that we are loading both secure
and unsecure objects into the page.

Any help would be greatly appreciated.

Thanks,
Benjamin Stephens

The differences in the log file for port 80 and port 443
are below. (I've removed IP addresses for obvious
reasons.) There seems to be a difference in the sc-win32-
status and I can't find a reference for these values
anywhere. Either 64 or 995. Is there anything else I
should be looking for?

Thanks,
Benjamin Stephens
----------------------------------------------------------
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2003-11-03 15:13:59
#Fields: date time cs-method cs-uri-stem cs-uri-query s-
port cs-username cs(User-Agent) sc-status sc-substatus sc-
win32-status

2003-11-03 15:16:57 GET /Common/Packages/CMP.CAB - 80 -
Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322)
200 0 64

2003-11-03 15:18:07 64.5.60.17
GET /Common/Packages/CMP.CAB - 443 - 66.180.101.158
Mozilla/4.0+
(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322)
200 0 995
-----------------------------------------------------------

[quoted text, click to view]

Through more log work, (Pun intended) I've found that the
server is not sending it. The log reports 7279695 bytes
sent under port 80 and 0 bytes sent under port 443.

Any help?

Thanks,

Can you check with Network monitor to verify that indeed NO response data is
being sent by the server?

I think something is preventing the server from serving the file:
Win32 error 64 = "The specified network name is no longer available."
Win32 error 995 = "The I/O operation has been aborted because of either a
thread exit or an application request."

These are signs that the server tried to send the data, but either the
backend disappeared on it, or the client disconnected prematurely.

Do you have a Wildcard Extension mapped on the server?

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]

Through more log work, (Pun intended) I've found that the
server is not sending it. The log reports 7279695 bytes
sent under port 80 and 0 bytes sent under port 443.

Any help?

Thanks,
Benjamin Stephens

I've found out a little bit more information. When I
unselect "Enable content expiration" it will work. When
Contect Expiration is enabled it will fail in HTTPS but
work in HTTP just fine.

So I'm turning off Content Expiration on just the Cab
folder and leaving it on for the rest of the site. That
seems to have fixed the problem. Very bizarre.

Any insight into why that would work that way? Again it
is only an issue in 2003. We had no trouble in 2000.

Thanks,
Benjamin Stephens


[quoted text, click to view]