Sockets with IIS 6 / WinS2k3

I'm running an IIS 6 server on a Win2k3 box, and everything has been functional so far.  However, I recently installed PHP 5 as a module for IIS, and I'm having trouble making a socket connection for a site I'm building.

I need to generate a socket connection to an authentication server with two GET parameters.  The server should respond with a short XML snippet.  When I enter the full URL directly into my browser, i.e.

https://{%HOST%}/{%path%}?{%param1}='xxxx'&{%param2}='yyyyy'

I get the XML response sent to my browser with no trouble.  That is, I'm certain that the server responds to a standard GET request with the parameters I'm passing.

However, when I try to open a socket from within my PHP script to read the server response contents, I can't get the socket to open.  I'm using ready-built code that apparently works fine (on an Apache server), and I've tried about every method PHP has for getting this server response (fsocketopen(), curl, fopen(), get_file_contents()), but to no avail.   I'm really starting to think that the problem is in a security setting or something in either IIS or on WinS2k3.  No matter what I try in PHP, I simply can't get a socket opened to this authentication server.  

Is there a security setting/rights assignment I need to have set a certain way to allow the socket to be created?  

Zeek0Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sleep_furiouslyCommented:
Probably the SSL handshake is not completing successfully.

Is the authentication server under your control?  Can you allow the authentication server to temporarily accept plain http traffic for testing and see if you can make a socket connection without SSL to narrow down where the problem is?

I don't know about all the methods, but some won't complete if you are using a "test" certificate that is self-signed or doesn't verify on chain to a trusted root CA and if you have not set options to relax criteria for accepting certificates.  For example with curl you may need to set CURLOPT_SSL_VERIFYPEER and/or CURLOPT_SSL_VERIFYHOST to allow a certificate that does not match the name of the host, or does not verify back to a trusted root CA.
0
Zeek0Author Commented:
I don't have control over the the authentication server, but it's a general use CAS server.  As far as I can tell, its certificate is valid - proper name and verified by a trusted CA for sure.  If anything is going to change, it's going to have to be on my end.  

Is there a particular setting somewhere in my server's group policy I should double-check?  I use a self-signed certificate because the sites I host are all accessed in-house only.  Still, since I'm just trying to establish a client connection, that doesn't seem like it should matter.  As I said, I can access the site by entering a full URL into a client workstation browser.  
0
sleep_furiouslyCommented:
I can't think of a group policy that would cause this, although something like Windows Firewall could.  If you want to see if group policy is the issue, since you cannot set the CAS to allow plain HTTP, then try using the various functions to connect to any old web server and see if you are still failing for plain HTTP.

What happens when your attempt to open a socket fails?  Any error details?

You could try using socket_create(), socket_connect(), socket_write(), etc. to narrow down where exactly the problem occurs.

Other things to check:
Make sure php_openssl.dll is loaded
Software firewalls that may permit your browser to initiate connections, but not your server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Zeek0Author Commented:
Well, I tried some of the scripts I found using the above functions.  Still nothing.  I keep getting these errors like:

Warning: socket_create() expects parameter 3 to be long, string given

which confuses the crap out of me, because I'm using SOL_TCP.  Either way, socket_create fails, fsockopen fails, fopen . . .  I have no idea why I cannot open a damn socket on my server.

I ran my trusty Process Explorer during the original script running (the one that used fsockopen), to see if anything was fishy there, but all I saw was repeated errors like this:

Process: w3wp.exe
Request: IRP_MJ_QUERY_INFORMATION
Path: (this error pops up once for each include in the script)
Result: Invalid Parameter
Other: FilePipeLocalInformation

That stuff is well beyond my scope of understanding, but it still doesn't look like the definitive reason why things are breaking.  It's not an access error and not all of the classes generating the error have a socket call in them.  

My server isn't running a firewall, as it's behind the domain gateway and doesn't interface with internet traffic.  

Also, I can't get the functions to open any web pages - they all break upon trying to open the socket.  The file pointer variable always ends up being null.
0
Zeek0Author Commented:
Okay, so I figured out how to work around the problem, but not what the problem is or how to solve it.

I changed the service parameter to "IIS 5.0 Isolation Mode" and set the application protection to low (IIS process).  Then everything worked like a charm.

I had tried to change the default application pool to run under the SYSTEM account and even that didn't help.  If anyone knows how I might alter my settings to allow me to swtich back to the default IIS 6 application pooling mode, I'd appreciate it very much.  I don't like having to bust down to methods from a previous version of IIS AND choose the "low" application protection in order for this to work.
0
Zeek0Author Commented:
There's no reason for this question to stay open, as I've figured out the problem.  I gave you the points, sleep_furiously, because it was only after I broke down the socket methods that I realized I couldn't even create one.  Unfortunately, I haven't seen the problem addressed anywhere else.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.