?
Solved

Sockets with IIS 6 / WinS2k3

Posted on 2006-04-24
6
Medium Priority
?
349 Views
Last Modified: 2012-05-05
I'm running an IIS 6 server on a Win2k3 box, and everything has been functional so far.  However, I recently installed PHP 5 as a module for IIS, and I'm having trouble making a socket connection for a site I'm building.

I need to generate a socket connection to an authentication server with two GET parameters.  The server should respond with a short XML snippet.  When I enter the full URL directly into my browser, i.e.

https://{%HOST%}/{%path%}?{%param1}='xxxx'&{%param2}='yyyyy'

I get the XML response sent to my browser with no trouble.  That is, I'm certain that the server responds to a standard GET request with the parameters I'm passing.

However, when I try to open a socket from within my PHP script to read the server response contents, I can't get the socket to open.  I'm using ready-built code that apparently works fine (on an Apache server), and I've tried about every method PHP has for getting this server response (fsocketopen(), curl, fopen(), get_file_contents()), but to no avail.   I'm really starting to think that the problem is in a security setting or something in either IIS or on WinS2k3.  No matter what I try in PHP, I simply can't get a socket opened to this authentication server.  

Is there a security setting/rights assignment I need to have set a certain way to allow the socket to be created?  

0
Comment
Question by:Zeek0
  • 4
  • 2
6 Comments
 
LVL 10

Expert Comment

by:sleep_furiously
ID: 16530372
Probably the SSL handshake is not completing successfully.

Is the authentication server under your control?  Can you allow the authentication server to temporarily accept plain http traffic for testing and see if you can make a socket connection without SSL to narrow down where the problem is?

I don't know about all the methods, but some won't complete if you are using a "test" certificate that is self-signed or doesn't verify on chain to a trusted root CA and if you have not set options to relax criteria for accepting certificates.  For example with curl you may need to set CURLOPT_SSL_VERIFYPEER and/or CURLOPT_SSL_VERIFYHOST to allow a certificate that does not match the name of the host, or does not verify back to a trusted root CA.
0
 

Author Comment

by:Zeek0
ID: 16533711
I don't have control over the the authentication server, but it's a general use CAS server.  As far as I can tell, its certificate is valid - proper name and verified by a trusted CA for sure.  If anything is going to change, it's going to have to be on my end.  

Is there a particular setting somewhere in my server's group policy I should double-check?  I use a self-signed certificate because the sites I host are all accessed in-house only.  Still, since I'm just trying to establish a client connection, that doesn't seem like it should matter.  As I said, I can access the site by entering a full URL into a client workstation browser.  
0
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 2000 total points
ID: 16541411
I can't think of a group policy that would cause this, although something like Windows Firewall could.  If you want to see if group policy is the issue, since you cannot set the CAS to allow plain HTTP, then try using the various functions to connect to any old web server and see if you are still failing for plain HTTP.

What happens when your attempt to open a socket fails?  Any error details?

You could try using socket_create(), socket_connect(), socket_write(), etc. to narrow down where exactly the problem occurs.

Other things to check:
Make sure php_openssl.dll is loaded
Software firewalls that may permit your browser to initiate connections, but not your server
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Zeek0
ID: 16543934
Well, I tried some of the scripts I found using the above functions.  Still nothing.  I keep getting these errors like:

Warning: socket_create() expects parameter 3 to be long, string given

which confuses the crap out of me, because I'm using SOL_TCP.  Either way, socket_create fails, fsockopen fails, fopen . . .  I have no idea why I cannot open a damn socket on my server.

I ran my trusty Process Explorer during the original script running (the one that used fsockopen), to see if anything was fishy there, but all I saw was repeated errors like this:

Process: w3wp.exe
Request: IRP_MJ_QUERY_INFORMATION
Path: (this error pops up once for each include in the script)
Result: Invalid Parameter
Other: FilePipeLocalInformation

That stuff is well beyond my scope of understanding, but it still doesn't look like the definitive reason why things are breaking.  It's not an access error and not all of the classes generating the error have a socket call in them.  

My server isn't running a firewall, as it's behind the domain gateway and doesn't interface with internet traffic.  

Also, I can't get the functions to open any web pages - they all break upon trying to open the socket.  The file pointer variable always ends up being null.
0
 

Author Comment

by:Zeek0
ID: 16608286
Okay, so I figured out how to work around the problem, but not what the problem is or how to solve it.

I changed the service parameter to "IIS 5.0 Isolation Mode" and set the application protection to low (IIS process).  Then everything worked like a charm.

I had tried to change the default application pool to run under the SYSTEM account and even that didn't help.  If anyone knows how I might alter my settings to allow me to swtich back to the default IIS 6 application pooling mode, I'd appreciate it very much.  I don't like having to bust down to methods from a previous version of IIS AND choose the "low" application protection in order for this to work.
0
 

Author Comment

by:Zeek0
ID: 16712022
There's no reason for this question to stay open, as I've figured out the problem.  I gave you the points, sleep_furiously, because it was only after I broke down the socket methods that I realized I couldn't even create one.  Unfortunately, I haven't seen the problem addressed anywhere else.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question