With the arrival of ASP.NET MVC and the complementary IIS7 file-extension-less request pipeline it’s finally possible to turn ugly “classic ASP.NET” query string URLs into pretty and orderly REST-style URLs, functionality that PHP had for ages. Out with http://mysite.com/catalog.aspx?category=1&product=100, here comes the more pleasing http://mysite.com/widgets&gadgets/the-useful-&-beautiful-widget
However, the ampersand in the latter will generate a “400 Bad Request” response with the default settings in IIS 7 because the ampersand (&) is not acceptable in the request for security reasons. As discussed here, it takes two measures to fix this and make the URL (I did not have to take the third measure quoted in the post, which is setting ValidateRequest=”false” in the ASP.NET MVC view page):
- AllowRestrictedChars http://support.microsoft.com/kb/820129
- Interestingly enough, enable VerificationCompatibility (http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437), a measure designed for pre-SP1 ASP.NET 1.1, but necessary here even with ASP.NET 3.5 to get the ampersand URLs working.
Hope it helps.
December 30th, 2008 at 1:33 am
You my man, are a legend! Thank you so much for this post. I had searched for ages in Google for a solution to my ampersand problem that occurred after updating the latest service packs, and now it is resolved!
February 6th, 2009 at 12:16 am
Thanks Dirk! I’ve just ran into this ampersand 400-error problem for the first time.
Luckily, I found your post and quickly fixed it!
I did see the posts on the ASP.NET forums, but it’s nice to read a condensed, “do this, it works” blog post, thanks!
April 28th, 2009 at 3:36 am
[...] a %, &, *, or : in the URL. The various fixes were scattered around different forum posts, but summed up nicely at Dirk.Net. Unfortunately, the only answer seemed to be “make a registry change” or “don’t pass those [...]
May 20th, 2009 at 7:24 am
Thanks!
May 27th, 2009 at 3:01 pm
[...] Finally, the solution was found @ dirk.net with an article regarding 400 bad request in IIS7 (But IIS6 also has the same problem and the solution will work there too). You can read about it here. [...]
October 14th, 2009 at 9:53 pm
Doesn’t seem to work for IIS7.5, sadly. Any ideas?
November 17th, 2009 at 11:33 pm
Found the solution. Problem is that I’m running 64 bit Windows but 32 bit IIS, so the registry entries are in a different location.
The only change I needed to make was at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET. Added DWORD VerificationCompatibility = 1
February 24th, 2010 at 11:19 pm
I still get “Bad Request” if I add UrlRoutingModule to
<add name=”UrlRoutingModule” …
If I remove that line it works. Any help appreciated …
April 16th, 2010 at 12:55 pm
It seems to be a solution for the ampersand problem. But it’s not. This will introduce a security risk, and that’s a far more bigger problem to me. The only solution is ‘do not ampersands in file and folder names’.
April 19th, 2010 at 8:39 pm
@Patrick: Not sure if they’re actually a security risk, but you’re absolutely right that ampersands don’t belong in an URL and should be avoided or encoded. Google doesn’t like them either. Thanks for your comment!
May 4th, 2010 at 11:10 am
Enabling VerificationCompatibility worked for me.
Below is link for more info
http://support.microsoft.com/default.aspx?scid=kb;EN-US;826437