Sockets with IIS 6 / WinS2k3

Posted on 2006-04-24
Last Modified: 2012-05-05
I'm running an IIS 6 server on a Win2k3 box, and everything has been functional so far.  However, I recently installed PHP 5 as a module for IIS, and I'm having trouble making a socket connection for a site I'm building.

I need to generate a socket connection to an authentication server with two GET parameters.  The server should respond with a short XML snippet.  When I enter the full URL directly into my browser, i.e.


I get the XML response sent to my browser with no trouble.  That is, I'm certain that the server responds to a standard GET request with the parameters I'm passing.

However, when I try to open a socket from within my PHP script to read the server response contents, I can't get the socket to open.  I'm using ready-built code that apparently works fine (on an Apache server), and I've tried about every method PHP has for getting this server response (fsocketopen(), curl, fopen(), get_file_contents()), but to no avail.   I'm really starting to think that the problem is in a security setting or something in either IIS or on WinS2k3.  No matter what I try in PHP, I simply can't get a socket opened to this authentication server.  

Is there a security setting/rights assignment I need to have set a certain way to allow the socket to be created?  

Question by:Zeek0
    LVL 10

    Expert Comment

    Probably the SSL handshake is not completing successfully.

    Is the authentication server under your control?  Can you allow the authentication server to temporarily accept plain http traffic for testing and see if you can make a socket connection without SSL to narrow down where the problem is?

    I don't know about all the methods, but some won't complete if you are using a "test" certificate that is self-signed or doesn't verify on chain to a trusted root CA and if you have not set options to relax criteria for accepting certificates.  For example with curl you may need to set CURLOPT_SSL_VERIFYPEER and/or CURLOPT_SSL_VERIFYHOST to allow a certificate that does not match the name of the host, or does not verify back to a trusted root CA.

    Author Comment

    I don't have control over the the authentication server, but it's a general use CAS server.  As far as I can tell, its certificate is valid - proper name and verified by a trusted CA for sure.  If anything is going to change, it's going to have to be on my end.  

    Is there a particular setting somewhere in my server's group policy I should double-check?  I use a self-signed certificate because the sites I host are all accessed in-house only.  Still, since I'm just trying to establish a client connection, that doesn't seem like it should matter.  As I said, I can access the site by entering a full URL into a client workstation browser.  
    LVL 10

    Accepted Solution

    I can't think of a group policy that would cause this, although something like Windows Firewall could.  If you want to see if group policy is the issue, since you cannot set the CAS to allow plain HTTP, then try using the various functions to connect to any old web server and see if you are still failing for plain HTTP.

    What happens when your attempt to open a socket fails?  Any error details?

    You could try using socket_create(), socket_connect(), socket_write(), etc. to narrow down where exactly the problem occurs.

    Other things to check:
    Make sure php_openssl.dll is loaded
    Software firewalls that may permit your browser to initiate connections, but not your server

    Author Comment

    Well, I tried some of the scripts I found using the above functions.  Still nothing.  I keep getting these errors like:

    Warning: socket_create() expects parameter 3 to be long, string given

    which confuses the crap out of me, because I'm using SOL_TCP.  Either way, socket_create fails, fsockopen fails, fopen . . .  I have no idea why I cannot open a damn socket on my server.

    I ran my trusty Process Explorer during the original script running (the one that used fsockopen), to see if anything was fishy there, but all I saw was repeated errors like this:

    Process: w3wp.exe
    Path: (this error pops up once for each include in the script)
    Result: Invalid Parameter
    Other: FilePipeLocalInformation

    That stuff is well beyond my scope of understanding, but it still doesn't look like the definitive reason why things are breaking.  It's not an access error and not all of the classes generating the error have a socket call in them.  

    My server isn't running a firewall, as it's behind the domain gateway and doesn't interface with internet traffic.  

    Also, I can't get the functions to open any web pages - they all break upon trying to open the socket.  The file pointer variable always ends up being null.

    Author Comment

    Okay, so I figured out how to work around the problem, but not what the problem is or how to solve it.

    I changed the service parameter to "IIS 5.0 Isolation Mode" and set the application protection to low (IIS process).  Then everything worked like a charm.

    I had tried to change the default application pool to run under the SYSTEM account and even that didn't help.  If anyone knows how I might alter my settings to allow me to swtich back to the default IIS 6 application pooling mode, I'd appreciate it very much.  I don't like having to bust down to methods from a previous version of IIS AND choose the "low" application protection in order for this to work.

    Author Comment

    There's no reason for this question to stay open, as I've figured out the problem.  I gave you the points, sleep_furiously, because it was only after I broke down the socket methods that I realized I couldn't even create one.  Unfortunately, I haven't seen the problem addressed anywhere else.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
    Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now