Re: iis not transferring clients to ssl port

From: David Wang [Msft] (
Date: 05/23/04

  • Next message: George Hester: "Re: Using IISADMPWD Virtual Directory"
    Date: Sat, 22 May 2004 22:41:26 -0700

    There are several ways to do this. The main difference is "where does the
    requirement that page X requires SSL exist"? It can either live in
    individual ASP pages, inside of IIS metabase at a per-URL level, or inside
    some central text file.

    However, you need to understand that there are limits to implementing an
    "automatic transfer from HTTP to HTTPS" using modern browsers and web
    servers. Namely, it does not work for posted FORMS, and it cannot be done
    without changing the URL in the location bar in the browser. This is
    because for all intents and purposes, the "transfer" from HTTP to HTTPS is
    over a new socket connection as well as port #, which triggers the client to
    both display the new URL as well as warn on re-posted FORMs.

    One way is to have each page that is supposed to be secured to check if they
    are accessed over secured channel, and if not, redirect. i.e.

    ' Check if request is over HTTPS or not
    ' If it is not over HTTPS, send a 302 redirection to this page over HTTPS
    IF Request.ServerVariables("SERVER_PORT_SECURE") = "0" THEN
        ' Be aware that this is vulnerable to Cross-site scripting attack...
        Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
    Request.ServerVariables("SCRIPT_NAME") & "?" &
    END IF
    ' Rest of ASP page

    Another way is to have IIS check if a URL is supposed to be accessed over a
    secured channel, and if not, send a 403.4 custom error, which you will
    hijack and use to send the redirection. i.e.
    1. Go to IIS Manager UI
    2. Select the file to require SSL, choose right-click properties, and go to
    the "File Security" tab
    3. Select "Edit" under "Secure communications" and check the "Require secure
    channel (SSL)" option. OK
    4. Select the "Custom Errors" tab and modify 403.4 to execute a URL. You
    can make it execute the ASP code I gave above to see what is happening and
    how to custom-tailor to your needs

    Both "File Security" and "Custom Errors" can be set at a per-URL level or
    aggregated to a per-vdir or per-website level, so you can fine-tune it
    however you wish.

    This general idea can be extended such that all configuration is centralized
    instead of spread out amongst individual files. You can write an ISAPI
    Filter that triggers on all incoming URLs, inspect the URL and compare
    against a list of URLs from a text file that "must be over SSL", and if the
    request isn't over SSL, send a 302 redirection. This isn't as easy as
    writing an ASP page or twiddling IIS configuration, but it's doable.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Marty Bleck" <> wrote in message
    Hi Paul,
    He wants to set up the server to allow the web masters to be able to
    select wich pages are protected.  (ie:  https instead of http)  He and I
    have seen this done.  He is not using active directory so he has to tell
    iis what port to transfer the clients web browser to.  He can't find
    where to do this.  Setting it up using acive directory works fine, but
    he wants the webmasters to be able to secure only the pages they want
    without being transferred to a sub domain.  You can tell the sites that
    are set up this way when they secure the page but you are not
    transferred to a sub domain.  A few of the sites that I have contacted
    seem unwilling to share how they set this up.  That is why I posted to a
    microsoft forum hoping that someone that works for ms would say 'oh yeh,
    you just have to go here and click this check box'.  I've been through
    almost every kb about ssl and have found nothing, that is why I resorted
    to using the forums.  Thanks in advance for any help you can provide.
    *** Sent via Developersdex ***
    Don't just participate in USENET...get rewarded for it!

  • Next message: George Hester: "Re: Using IISADMPWD Virtual Directory"

    Relevant Pages

    • Re: Setting up HTTPS w/subdomain on Apache2
      ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    • Re: Setting up HTTPS w/subdomain on Apache2
      ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
    • Re: At What Point Does the Security Begin?
      ... All secure forms examine this variable, and if empty redirect to the ... all pages behind the login are posted through SSL. ... in which I understand .NET uses a cookie behind ... not secure (it's called at http, not https) but posts to a page ...
    • Researcher demonstrates SSL attack
      ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    • Removing Requirment for an SSL connection
      ... I have SBS 2000 running with IIS and Exchange and went through this ... We set the default website up to require an SSL connection because we didn't ... Office Scan) so of course this now required a secure connection to connect ...