Zeek0
asked on
Sockets with IIS 6 / WinS2k3
I'm running an IIS 6 server on a Win2k3 box, and everything has been functional so far. However, I recently installed PHP 5 as a module for IIS, and I'm having trouble making a socket connection for a site I'm building.
I need to generate a socket connection to an authentication server with two GET parameters. The server should respond with a short XML snippet. When I enter the full URL directly into my browser, i.e.
https://{%HOST%}/{%path%}?{%param1
I get the XML response sent to my browser with no trouble. That is, I'm certain that the server responds to a standard GET request with the parameters I'm passing.
However, when I try to open a socket from within my PHP script to read the server response contents, I can't get the socket to open. I'm using ready-built code that apparently works fine (on an Apache server), and I've tried about every method PHP has for getting this server response (fsocketopen(), curl, fopen(), get_file_contents()), but to no avail. I'm really starting to think that the problem is in a security setting or something in either IIS or on WinS2k3. No matter what I try in PHP, I simply can't get a socket opened to this authentication server.
Is there a security setting/rights assignment I need to have set a certain way to allow the socket to be created?
I need to generate a socket connection to an authentication server with two GET parameters. The server should respond with a short XML snippet. When I enter the full URL directly into my browser, i.e.
https://{%HOST%}/{%path%}?{%param1
I get the XML response sent to my browser with no trouble. That is, I'm certain that the server responds to a standard GET request with the parameters I'm passing.
However, when I try to open a socket from within my PHP script to read the server response contents, I can't get the socket to open. I'm using ready-built code that apparently works fine (on an Apache server), and I've tried about every method PHP has for getting this server response (fsocketopen(), curl, fopen(), get_file_contents()), but to no avail. I'm really starting to think that the problem is in a security setting or something in either IIS or on WinS2k3. No matter what I try in PHP, I simply can't get a socket opened to this authentication server.
Is there a security setting/rights assignment I need to have set a certain way to allow the socket to be created?
ASKER
I don't have control over the the authentication server, but it's a general use CAS server. As far as I can tell, its certificate is valid - proper name and verified by a trusted CA for sure. If anything is going to change, it's going to have to be on my end.
Is there a particular setting somewhere in my server's group policy I should double-check? I use a self-signed certificate because the sites I host are all accessed in-house only. Still, since I'm just trying to establish a client connection, that doesn't seem like it should matter. As I said, I can access the site by entering a full URL into a client workstation browser.
Is there a particular setting somewhere in my server's group policy I should double-check? I use a self-signed certificate because the sites I host are all accessed in-house only. Still, since I'm just trying to establish a client connection, that doesn't seem like it should matter. As I said, I can access the site by entering a full URL into a client workstation browser.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I tried some of the scripts I found using the above functions. Still nothing. I keep getting these errors like:
Warning: socket_create() expects parameter 3 to be long, string given
which confuses the crap out of me, because I'm using SOL_TCP. Either way, socket_create fails, fsockopen fails, fopen . . . I have no idea why I cannot open a damn socket on my server.
I ran my trusty Process Explorer during the original script running (the one that used fsockopen), to see if anything was fishy there, but all I saw was repeated errors like this:
Process: w3wp.exe
Request: IRP_MJ_QUERY_INFORMATION
Path: (this error pops up once for each include in the script)
Result: Invalid Parameter
Other: FilePipeLocalInformation
That stuff is well beyond my scope of understanding, but it still doesn't look like the definitive reason why things are breaking. It's not an access error and not all of the classes generating the error have a socket call in them.
My server isn't running a firewall, as it's behind the domain gateway and doesn't interface with internet traffic.
Also, I can't get the functions to open any web pages - they all break upon trying to open the socket. The file pointer variable always ends up being null.
Warning: socket_create() expects parameter 3 to be long, string given
which confuses the crap out of me, because I'm using SOL_TCP. Either way, socket_create fails, fsockopen fails, fopen . . . I have no idea why I cannot open a damn socket on my server.
I ran my trusty Process Explorer during the original script running (the one that used fsockopen), to see if anything was fishy there, but all I saw was repeated errors like this:
Process: w3wp.exe
Request: IRP_MJ_QUERY_INFORMATION
Path: (this error pops up once for each include in the script)
Result: Invalid Parameter
Other: FilePipeLocalInformation
That stuff is well beyond my scope of understanding, but it still doesn't look like the definitive reason why things are breaking. It's not an access error and not all of the classes generating the error have a socket call in them.
My server isn't running a firewall, as it's behind the domain gateway and doesn't interface with internet traffic.
Also, I can't get the functions to open any web pages - they all break upon trying to open the socket. The file pointer variable always ends up being null.
ASKER
Okay, so I figured out how to work around the problem, but not what the problem is or how to solve it.
I changed the service parameter to "IIS 5.0 Isolation Mode" and set the application protection to low (IIS process). Then everything worked like a charm.
I had tried to change the default application pool to run under the SYSTEM account and even that didn't help. If anyone knows how I might alter my settings to allow me to swtich back to the default IIS 6 application pooling mode, I'd appreciate it very much. I don't like having to bust down to methods from a previous version of IIS AND choose the "low" application protection in order for this to work.
I changed the service parameter to "IIS 5.0 Isolation Mode" and set the application protection to low (IIS process). Then everything worked like a charm.
I had tried to change the default application pool to run under the SYSTEM account and even that didn't help. If anyone knows how I might alter my settings to allow me to swtich back to the default IIS 6 application pooling mode, I'd appreciate it very much. I don't like having to bust down to methods from a previous version of IIS AND choose the "low" application protection in order for this to work.
ASKER
There's no reason for this question to stay open, as I've figured out the problem. I gave you the points, sleep_furiously, because it was only after I broke down the socket methods that I realized I couldn't even create one. Unfortunately, I haven't seen the problem addressed anywhere else.
Is the authentication server under your control? Can you allow the authentication server to temporarily accept plain http traffic for testing and see if you can make a socket connection without SSL to narrow down where the problem is?
I don't know about all the methods, but some won't complete if you are using a "test" certificate that is self-signed or doesn't verify on chain to a trusted root CA and if you have not set options to relax criteria for accepting certificates. For example with curl you may need to set CURLOPT_SSL_VERIFYPEER and/or CURLOPT_SSL_VERIFYHOST to allow a certificate that does not match the name of the host, or does not verify back to a trusted root CA.