I worked a case recently with FIM CM where the user was unable to search for requests with the Bulk Client to print smart cards.

After a few lengthy troubleshooting sessions I stumbled across Double Escapes.  The resolution to the case was to add a “true” condition for double escapes in either the IIS server or the website for the FIM CM Portal.

There are two methods to implement the fix:

Manually adding

<requestFiltering allowDoubleEscaping="true">

to the following files:

Server Specific:

applicationhost.config

Site Specific:

web.config

Automatically changing the files with the following command:

Site Specific:
Appcmd set config "Default Web Site" /section:system.

webServer/Security/requestFiltering

-allowDoubleEscaping:True

Site Specific w/ a location tag:
appcmd set config "Default Web Site" /section:system.

webServer/Security/requestFiltering

-allowDoubleEscaping:True /commit:appHost

Double escapes can become a  security hole for an IIS server.  In our case, the customer was not concerned with the security hole that allowing double escapes created since the server was internal to the company, only 2 people had access to it and the site was only accessed from a single Windows 7 client where the Bulk Client for FIM CM was installed

So what are Double Escapes?

Forgive me but I am not an IIS expert, but Double Escapes are the ability for an IIS server to interpret something like (FirstName LastName) into FirstName%20Lastname.  Potentially this could give someone the ability to inject SQL code or java into a URL which could possibly lead to code execution.

For more information:

Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"