Due to a change in IIS 7’s security model, it is much stricter on what is and what isn’t a valid URL – that includes rejecting URLs that have a plus symbol (+) in the path (not the query string). I’ve found this problem normally occurs when you are using URL re-writing to turn ugly URLs like ‘default.aspx?my+value’ into pretty, human friendly URLs like ‘/my+value’.
To work around this new feature you can put the following in your web.config:
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
Be warned though, you are disabling a security feature so you are opening yourself up to attacks using malicious URLs. Ensure that you really do need to have + symbols in the URL before doing this. For example, if the plus sign is coming from have spaces in a string, could you replace the spaces with a hyphen (-)?
