I previously posted about a [CS] url encoding problem on Vista. The problem was the urls in the tag cloud where rendering spaces with + rather than %20. On Vista (and Windows Server 2008), this results in a 404 error. At the time I spend a few hours researching the problem but no-one had posted any details about this issue at the time. I started looking into it again yesterday and found that there is now a lot of information about the issue.
It is a security feature of IIS7 that denies double escaping by default (see here, here (#11), here and so many places).
Out of all the information that I read yesterday there is some incorrect and not so good information regarding the workaround (can't call it a fix). What worked for me was to:
- Open Notepad with elevated privileges
- Open %windir%\System32\inetsrv\config\applicationHost.config
- Locate the line <section name="requestFiltering" overrideModeDefault="Deny" /> and replace it with <section name="requestFiltering" overrideModeDefault="Allow"/>
- Save applicationHost.config
- Open your web.config
- Add <system.webServer> <security> <requestFiltering allowDoubleEscaping="True"/> </security> </system.webServer> under the configuration element.
- Save web.config
Most of the posts I read didn't mention steps 2-4 which I found just gives a 500 internal service error. Other posts indicate that the change in step 6 should be applied to applicationHost.config. I don't think that is a good suggestion as the workaround reduces the security level of IIS and such a change would apply to all web application rather than the one that you specifically need to modify the behavior of.
At the end of the day, it is still a [CS] bug (at least on Vista and Windows Server 2008) as the url encoding should use %20 rather than + for encoding spaces.