We are having a pretty bizarre issue with our IIS site and safari 5.1. Previously everything has been totally fine with safari 5.0. Some mac users have just gotten the Safari 5.1 upgrade. No big deal right? Well, for some reason I'm not able identify, we're
not receiving anything in the post from the client.
production server - no post
staging server - no post
test server - no post
dev server - no post
my local server - gets the post OK.
obviously there is an IIS configuration difference or something between them, but so far I have been unable to identify it. It should be pretty obvious right? Why would I get nothing in the post body for safari 5.1, but yet 5.0 and every other browser is fine....
Below is an example of what I see from the dev server with the failed request tracing turned on for a 200. (also the app here is in debug mode .. normally name/values are encrypted)
you can see IE 8 on the right, post body is there. safari 5.1 on the left, no post body. The only thing I've noticed so far is that safari doesn't seem to send the Content-Length: 409 header, but the fact that I've got 5.1 working on one server leads me to
believe its something that we are doing inside of IIS.
Any ideas? Thanks
It is very likely to be a browser or client side JavaScript issue, which has little to do with IIS.
You need to involve the developers of that site to review if they use an out of date AJAX or client side JavaScript libraries. At least, they are familiar with JavaScript debugging and should assist you well on troubleshooting the root cause.
Regards,
Lex Li
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks. well, I am one of the developers. In the example traces I posted above, there is no client side javascript or ajax, it's a plain old 1995 html form submit. There are other methods that use client ajax and they do not work either. I can see safari sending
the post body in it's inspector tool just fine, but for whatever reason when IIS looks at the request it simply doesn't see the post that it sent.
Either safari is doing something strange (or not doing something) when it sends the post.
Or IIS is doing something strange when it receives the post and goes to see what it contains.
The fact that safari 5.1 works fine against 1 server out of 5 leads me to suspect it's something in the IIS config.
Simply reading failed request tracing and hoping to find out the differences on IIS side alone is not recommended.
All HTTP conversations are carried out between the browser and the server. Therefore, you should capture more data (such as the HTTP packets) exchanged between the two. In your case, I think you can use Wireshark to capture HTTP packets on Mac + Safari 5.1
and then compare with the same capture on Mac + Safari 5.0 to see if there are any obvious differences.
The differences on IIS side can be explained once the whole conversation is nice and clear. If you don't dig more, or look at the big picture, you may get lost or miss the hints.
Regards,
Lex Li
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Well yeah, I've done all that already and it didn't reveal anything, which is why I asked for help... The failed request trace I posted there was simply the most revealing thing I had to go on.
Figured it out somewhat after digging through all the config of my server vs our test server. Thankfully I had this difference and was able to spot it.
Authentication > Integrated windows authentication > advanced settings > providers > [Negotiate, NTLM] <-- Does not work
Authentication > Integrated windows authentication > advanced settings > providers > [NTLM] <-- Works
So it looks like it's a bug with safari's authentication stack, where the post body somehow gets screwed up when negotiate is enabled. It doesn't make any sense why that would happen, but really I'm seeing a lot of other odd behavior with authentication in
5.1. A lot of times, but not always, I'll get more than one password prompt when it tries to authenticate the child requests the page makes (css / js / img). I don't think it's a bug with IIS since every other browser even 5.0 is totally fine, plus that NTLM
stack should be properly implemented and untouched stable for a long time now... unless a recent windows update in that area could be contributing... that's worth checking out at least. On Monday I'll follow up with the safari folks and see if I can find the
underlying issue.
It should not be hard to find it out, if you are familiar with such typical error patterns inside network packet captures. That requires experience, and it is common that you did not realize it earlier.
But authentication between the browser and the server can lead to such problems, if Apple did make big changes in Safari 5.1.
Negotiate is something complicated, and as far as I know only Microsoft IE can handle it properly. Therefore, it is recommended that you use NTLM only for most scenarios (like what SharePoint Server does after its installation). Though it does lower the
security protection, it maximizes compatibility.
You may consult Apple support to see if they can provide details on such changes (maybe they have that details in Safari 5.1 release notes or somewhere else), but they really should be more careful on their product upgrade to make sure it maintains certain
amount of compatibility.
Regards,
Regards,
Lex Li
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Well yeah, I've done all that already and it didn't reveal anything, which is why I asked for help... The failed request trace I posted there was simply the most revealing thing I had to go on.
Figured it out somewhat after digging through all the config of my server vs our test server. Thankfully I had this difference and was able to spot it.
Authentication > Integrated windows authentication > advanced settings > providers > [Negotiate, NTLM] <-- Does not work
Authentication > Integrated windows authentication > advanced settings > providers > [NTLM] <-- Works
So it looks like it's a bug with safari's authentication stack, where the post body somehow gets screwed up when negotiate is enabled. It doesn't make any sense why that would happen, but really I'm seeing a lot of other odd behavior with authentication in
5.1. A lot of times, but not always, I'll get more than one password prompt when it tries to authenticate the child requests the page makes (css / js / img). I don't think it's a bug with IIS since every other browser even 5.0 is totally fine, plus that NTLM
stack should be properly implemented and untouched stable for a long time now... unless a recent windows update in that area could be contributing... that's worth checking out at least. On Monday I'll follow up with the safari folks and see if I can find the
underlying issue.
Thanks
Did you ever figure out the underlying issue? I'm still seeing the exact behavior you described, and the incremental Safari updates haven't helped.
Nope, not yet. I've got a bug opened with apple, which is moving very slowly, especially since I cannot provide them a public URL to see the problem.
So to them the problem is "just on my end, unconfirmed". Unfortunately their bug tracker does not let you see bug reports initiated by anyone other than yourself, but it might help if you opened a duplicate issue describing the same problem.
(be forewarned it is very difficult to even get into their bug tracker and create something, and they take 2-3 weeks to even look at it.)
Since I can't provide a public URL, perhaps you can?
I just thought I would throw this out there and see if anyone had some comments on this. I was experiencing the same behavior with Safari/IIS, and just stumbled across something. If you go to the Advanced Settings of the Windows Authentication in the Authentication
configuration of the web site application in IIS, there is a check box labeled "Enable Kernel-mode authentication". This was checked by default--when I unchecked it, Safari didn't have any more problems with the empty POST body. Is this a suitable workaround
for the time-being, or is it not a good idea?
john.newman
26 Posts
IIS7.5 receives empty post body from Safari 5.1??
Oct 13, 2011 06:16 PM|LINK
We are having a pretty bizarre issue with our IIS site and safari 5.1. Previously everything has been totally fine with safari 5.0. Some mac users have just gotten the Safari 5.1 upgrade. No big deal right? Well, for some reason I'm not able identify, we're not receiving anything in the post from the client.
production server - no post
staging server - no post
test server - no post
dev server - no post
my local server - gets the post OK.
obviously there is an IIS configuration difference or something between them, but so far I have been unable to identify it. It should be pretty obvious right? Why would I get nothing in the post body for safari 5.1, but yet 5.0 and every other browser is fine....
Below is an example of what I see from the dev server with the failed request tracing turned on for a 200. (also the app here is in debug mode .. normally name/values are encrypted)
[IMG]http://i1092.photobucket.com/albums/i410/jim_newton/work-stuff/safari-51-empty-post.jpg[/IMG]
you can see IE 8 on the right, post body is there. safari 5.1 on the left, no post body. The only thing I've noticed so far is that safari doesn't seem to send the Content-Length: 409 header, but the fact that I've got 5.1 working on one server leads me to believe its something that we are doing inside of IIS.
Any ideas? Thanks
lextm
4489 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Oct 14, 2011 08:58 AM|LINK
It is very likely to be a browser or client side JavaScript issue, which has little to do with IIS.
You need to involve the developers of that site to review if they use an out of date AJAX or client side JavaScript libraries. At least, they are familiar with JavaScript debugging and should assist you well on troubleshooting the root cause.
Regards,
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
john.newman
26 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Oct 14, 2011 01:49 PM|LINK
Either safari is doing something strange (or not doing something) when it sends the post.
Or IIS is doing something strange when it receives the post and goes to see what it contains.
The fact that safari 5.1 works fine against 1 server out of 5 leads me to suspect it's something in the IIS config.
Any ideas?
lextm
4489 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Oct 15, 2011 03:16 AM|LINK
Simply reading failed request tracing and hoping to find out the differences on IIS side alone is not recommended.
All HTTP conversations are carried out between the browser and the server. Therefore, you should capture more data (such as the HTTP packets) exchanged between the two. In your case, I think you can use Wireshark to capture HTTP packets on Mac + Safari 5.1 and then compare with the same capture on Mac + Safari 5.0 to see if there are any obvious differences.
The differences on IIS side can be explained once the whole conversation is nice and clear. If you don't dig more, or look at the big picture, you may get lost or miss the hints.
Regards,
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
john.newman
26 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Oct 15, 2011 10:33 PM|LINK
Figured it out somewhat after digging through all the config of my server vs our test server. Thankfully I had this difference and was able to spot it.
Authentication > Integrated windows authentication > advanced settings > providers > [Negotiate, NTLM] <-- Does not work
Authentication > Integrated windows authentication > advanced settings > providers > [NTLM] <-- Works
So it looks like it's a bug with safari's authentication stack, where the post body somehow gets screwed up when negotiate is enabled. It doesn't make any sense why that would happen, but really I'm seeing a lot of other odd behavior with authentication in 5.1. A lot of times, but not always, I'll get more than one password prompt when it tries to authenticate the child requests the page makes (css / js / img). I don't think it's a bug with IIS since every other browser even 5.0 is totally fine, plus that NTLM stack should be properly implemented and untouched stable for a long time now... unless a recent windows update in that area could be contributing... that's worth checking out at least. On Monday I'll follow up with the safari folks and see if I can find the underlying issue.
Thanks
lextm
4489 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Oct 16, 2011 01:02 PM|LINK
Glad to hear that you find out the problem.
It should not be hard to find it out, if you are familiar with such typical error patterns inside network packet captures. That requires experience, and it is common that you did not realize it earlier.
But authentication between the browser and the server can lead to such problems, if Apple did make big changes in Safari 5.1.
Negotiate is something complicated, and as far as I know only Microsoft IE can handle it properly. Therefore, it is recommended that you use NTLM only for most scenarios (like what SharePoint Server does after its installation). Though it does lower the security protection, it maximizes compatibility.
You may consult Apple support to see if they can provide details on such changes (maybe they have that details in Safari 5.1 release notes or somewhere else), but they really should be more careful on their product upgrade to make sure it maintains certain amount of compatibility.
Regards,
Regards,
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
tom1132
1 Post
Re: IIS7.5 receives empty post body from Safari 5.1??
Feb 17, 2012 06:59 PM|LINK
john.newman
26 Posts
Re: IIS7.5 receives empty post body from Safari 5.1??
Feb 17, 2012 07:09 PM|LINK
So to them the problem is "just on my end, unconfirmed". Unfortunately their bug tracker does not let you see bug reports initiated by anyone other than yourself, but it might help if you opened a duplicate issue describing the same problem.
(be forewarned it is very difficult to even get into their bug tracker and create something, and they take 2-3 weeks to even look at it.)
Since I can't provide a public URL, perhaps you can?
pdearmore
1 Post
Re: IIS7.5 receives empty post body from Safari 5.1??
Apr 10, 2012 06:21 PM|LINK
I just thought I would throw this out there and see if anyone had some comments on this. I was experiencing the same behavior with Safari/IIS, and just stumbled across something. If you go to the Advanced Settings of the Windows Authentication in the Authentication configuration of the web site application in IIS, there is a check box labeled "Enable Kernel-mode authentication". This was checked by default--when I unchecked it, Safari didn't have any more problems with the empty POST body. Is this a suitable workaround for the time-being, or is it not a good idea?