Microsoft KB Archive/294807

= HOW TO: Turn Off the Internet Explorer 5.x and 6.x &quot;Show Friendly HTTP Error Messages&quot; Feature on the Server Side =

Article ID: 294807

Article Last Modified on 7/16/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



This article was previously published under Q294807



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



IN THIS TASK
SUMMARY
 * Introduction
 * Method 1
 * Method 2
 * Method 3

REFERENCES



SUMMARY
This step-by-step article describes different methods to turn off the &quot;Show Friendly HTTP Error Messages&quot; feature on the server.

back to the top

Introduction
When you access Web pages from Internet Explorer 5.x and Internet Explorer 6.x, the actual text of an HTTP 500 message that is sent to the browser may be masked by an Internet Explorer &quot;friendly&quot; error message. Although you can turn off this feature manually for each client, this article also provides several server-side workarounds to inhibit the display of &quot;friendly&quot; error messages.

According to the HTTP 1.1 specification, Internet Information Services (IIS) 5.0 returns a status code of 500 for any response that is not handled by another 1xx, 2xx, 3xx, 4xx, or 5xx status code, such as &quot;302 - Object Moved&quot;, or &quot;404 - File not Found&quot;. Because IIS 4.0 does not strictly follow RFC 2616, it returns Active Server Pages (ASP)-based Microsoft Visual Basic Scripting Edition (VBScript) errors with a status code of 200.

For more information about the HTTP 1.1 specification, visit the following Web site:

RFC 2616

http://rfc.net/rfc2616.html

Several frequently-seen status codes have &quot;friendly&quot; error messages that Internet Explorer 5.x displays and that effectively mask the actual text message that the server sends. However, these &quot;friendly&quot; error messages are only displayed if the response that is sent to the client is less than a specified threshold. For example, to see the exact text of an HTTP 500 response, the content length must be greater than or equal to 512 bytes.

For additional information about all status codes that display friendly error messages and the registry location for the corresponding error threshold to override that friendly message, click the article number below to view the article in the Microsoft Knowledge Base:

218155 Description of Hypertext Transport Protocol Error Messages

To display the actual message that the Web server sends, use one of the following methods.

back to the top

Method 1
 Turn off the friendly error message option in the browser as follows:  In Internet Explorer 5.x and 6.x, on the Tools menu, click Internet Options. On the Advanced tab, under the Browsing section, click to clear the Show friendly HTTP error messages check box, and then click OK. Close the browser.  Use the Internet Explorer Administration Kit or System Policies to push the Show friendly HTTP error messages option down to clients. For more information about how to configure the &quot;Custom ASP Errors&quot; feature, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/ie/bb219517.aspx

</li></ol>

back to the top

Method 2
 Use the &quot;Custom ASP Errors&quot; feature in IIS 5.0 to pad the response that the server sends with enough characters to override the friendly error messages. To download the &quot;Custom ASP Errors&quot; feature, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/iis/htm/core/iierrcst.htm

</li>  Implement this padding. To do this, use the VBScript String function to return a string of the same character, which is one more than the ErrorThreshold that Internet Explorer 5.x uses to display the friendly error message. For example, add the following line immediately before the tag of 500-100.asp: <% Response.Write String(513, &quot;_&quot;) %> </li> Configure the general 500 error to use Type=URL and 500-100.asp instead of Type=Default. By default, the 500 error is configured to use Type=Default.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

224070 Creating Custom ASP Error Pages

NOTE: IIS internally processes some HTTP 500 responses that are sent to the client as another HTTP status code. That internal status code is changed to 500 before the response to the client is sent. This is the case with the ASP Response.Status method. In these cases, the custom ASP error code is not checked in IIS. To work around these situations, use an Internet Server Application Programming Interface (ISAPI) filter that determines the status code that is sent to the client after IIS processes the page.</li></ol>

back to the top

Method 3
Use an ISAPI filter that forces the content length of all HTTP 500 responses to be larger than 512 bytes, effectively padding all 500 responses so that they are large enough to override the &quot;friendly&quot; error setting in Internet Explorer 5.x and 6.x. Padresponse.exe is a sample ISAPI filter (and its source code) that demonstrates how to pad the response that is sent to the client (based on receiving an HTTP 500 status code).

The following file is available for download from the Microsoft Download Center:

Download Padresponse.exe now

Release Date: April 27, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. back to the top

<div class="references_section">