Carrots Posted November 3, 2008 Posted November 3, 2008 In the IIS logs, our client has found a bunch of 403.7 64 's being logged. Most of them are to /VirtualDirectoryName, for example:2008-10-30 06:41:00 W3SVC3 xxx.xxx.xxx.xxx GET /VirtualDirectoryName - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 403 7 64These happen quite often, sometimes 4 or so requests in a row.Directory browsing is disabled on the sites, and the default page is set to default.htm which exists, so theoretically, there should be no requests for the path.I have enabled schannel logging, but couldnt find one matching the timestamp in IIS. For example, in IIS we have one for 2008-10-30 11:49:50, and in event viewer we have one for 11:49:52 and one for 11:49:45. I also couldnt find a patter that makes it look like the one is trailing the other by a couple of seconds.All the IIS requests are on port 443, none are on 80.Schannel logs information events, but no warnings.The client confirmed that the system logs and IIS logs were from the same server.They run Windows 2003 x64 R2 on a NLB cluster. The machines in the testing environment is a single machine only.I am able to intermittently reproduce it on my own environment (XP 64). One out of 20 times doing the exact same actions will give me the error in the logs. The error does not affect the user at all.Testers currently test on Windows XP 32, with IE6, IE7 and Firefox, using software certs, or in some cases USB tokens. I replicated using a software cert.Now this does not sound like something I should be spending my time on, but the client is being audited, and this has been raised as a concern by the auditing company.
cluberti Posted November 3, 2008 Posted November 3, 2008 Well, a 403.7 from an IIS server means403.7 - Client certificate requiredWhich would indicate the directory being requested is configured for certificate auth security, and the client making the request did not provide one at the time of the request (might be an error, but it just may have been the first anon request, in which case a 403.7 is an expected response to tell the client that it needs to provide a cert on the next request).http://support.microsoft.com/kb/942067/
Carrots Posted November 3, 2008 Author Posted November 3, 2008 The users (testers in this case) all have client certs installed on their PC's, and this also appears in the middle of a certain flow. For example, you would have:logon.aspx 200 0 0Functionality1.aspx 200 0 0step1.aspx 200 0 0/virtualdirectoryname 403.7 64/virtualdirectoryname 403.7 64Step2 200 0 0all with the same IP address. Something that might be worth mentioning, the pages submit to a custom extension, lets say .cust, which uses he same executable as aspx, C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dllso you would actually get:/virtualdirectoryname/logon.cust 200 0 0/virtualdirectoryname/Functionality1.cust 200 0 0/virtualdirectoryname/step1.cust 200 0 0/virtualdirectoryname 403.7 64/virtualdirectoryname 403.7 64/virtualdirectoryname/Step2.cust 200 0 0
Carrots Posted November 5, 2008 Author Posted November 5, 2008 some more info:I have replicated on my dev machine (which is not in an NLB cluster). I logged on something like 10-20 times, sometimes clearing the browser cache, sometimes not, and get the 403 once in the logs.For that specific time, there is nothing in the system logs, where usually there is a schannel information event logged in the system log.I have a valid certificate. If I try to log on without a valid cert, I get 403.7 5 instead of the 403.7 64 which I see in the logs.
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now