Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator.

The other day I was working on my Microsoft Office SharePoint Server (MOSS) 2007 and discovered that when I clicked on a new content type that I created, it gave me the following error in my browser.

Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator.

First I looked at various settings on my SharePoint server just to make sure that everything was in order. I couldn’t find anything suspicious on the server so I proceeded to the next step and looked into the error message. The error indicated that my request was rejected by the HTTP filter so I knew I have to troubleshoot the problem on my ISA Server 2006 which filters the HTTP requests. After doing a little bit of research I discovered that clearing the option to verify normalization might help solve my problem, and luckily it did. Normalization is the process of decoding URL-encoded requests. By clearing this option, I would not be blocking requests with URLs that contain escaped characters after normalization. Here’s the step-by-step procedure.

1. Start ISA Server 2006 Management Console.
2. Go to the Firewall Policy.
3. Right-click the Web policy rule that allows access to the SharePoint server and select Configure HTTP.
4. Clear the box Verify normalization, as shown below.
   
5. You don’t have to change the option to Block high bit characters as shown in the screen shot. You can leave it to the default option on your server. On my server I have selected the option to specify that URLS with high-bit characters are blocked because it can help block some attacks on Web servers running Internet Information Services (IIS). The downside to selecting this option is that it may also block requests and responses that contain characters from one of several languages that require high-bit characters.
6. Apply the change made to your ISA Server 2006 and the error on your SharePoint server should go away immediately.

If you are curious about the verify normalization option, here’s some more information from Microsoft TechNet.

Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.

Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid. When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.

Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.

Best Practices

1. As a best practice, always make sure that you document the changes made to your server. Documenting server configuration takes a little bit of your time but it can save you hours or even days or weeks at a later time.
2. When you create a SharePoint site, list or library, make sure that you do not use a space. You can always go back and create spaces in the name after the fact to make it more readable. By using this method, the URL will not contain the extra “garbage” %20 characters and your users will still be able to find your list and library names readable. Spaces in SharePoint URLs causes several potential problems. The space character is replaced with %20. Not only it makes the URL difficult to read, it also increases the length of the URL, which may cause you to go over the upper limit. For example, a file or folder name in a URL cannot contain more than 128 characters in WSS 2.0/3.0 and MOSS. Although SharePoint URLs can be up to 260 characters, as a best practice I discourage people from using more than 256 characters because link list items cannot be more than 256 characters.
3. Keep the names of your SharePoint sites, lists and libraries short. Instead of creating a library called Human Resources, call it HR. After creating the library you can change the name under Title and Description to Human Resources. Moral of the story: Avoid spaces in SharePoint URLs and be happy!