Thursday, 4 September 2008

Migrating ASP.NET apps to Windows Server 2008 / IIS7 - URLs with '+' don't work

Having successfully migrated production .NET v3.5 web applications over to Server 2008, one issue is that some URLs don't work, ie. ones that have a '+'.  This is because IIS7 rejects such URLs with Error 404.11 'URL_DOUBLE_ESCAPED'; See here.

To resolve it, simply put

<system.webServer>
  <security>
    <requestFiltering allowDoubleEscaping="false" />
  </security>
</system.webServer>

...in your web.config under 'configuration'

This makes the server less secure against Canonicalization Attacks.