5Feb, 2026
The Dreaded ERR_HTTP2_PROTOCOL_ERROR Error Caused by a Redirect
The dreaded ERR_HTTP2_PROTOCOL_ERROR error. Just search for this one and you’ll see there is little consistency in fixes, and a lot of confusion. All development environments started throwing this error, but only on sign in. Why only there? A bad security measure was the culprit.
My journey through this head scratcher starts with a vanilla installation of Sitecore. All logs are clean and operations are normal. But after first deployment, visiting https://localsc.dev.local/sitecore/shell/default.aspx brought up the following error.
Hmmm… can't reach this page
It looks like the webpage at https://localsc.dev.local/iden... might be having issues, or it may have moved permanently to a new web address.
ERR_HTTP2_PROTOCOL_ERROR
So, what made this hard was the response the client was getting. After just recently updating certificates, my mind went to SSL. I played with the bindings, enabling and disabling various options to see what’s what. We also have restrictive policies in place, and I wouldn’t put it past those to block self-signed certificates.
Next area to check was the configuration, but IIS reports an issue with web.config, which as it turns out is expected in a sitecore installation.
It did get me thinking though, that the web.config was just updated, so I reverted the file and all is well again.
Digging through the changes I see a recent commit that’s being applied to all Roles, and not just the Content Delivery instance further in the release chain:
<rule name="Block login Request" stopProcessing="true">
<match url="(^|/)login(/|$)" ignoreCase="true" />
<action type="AbortRequest" />
</rule>
And here is the problem, because when a User logs in, the following URL would be https://localsc.dev.local/identity/login/shell/SitecoreIdentityServer?ReturnUrl=/sitecore/shell/default.aspx. Now, this would be much easier to troubleshoot if a different rule was applied, since it’s not vague as to the cause:
<rule name="Block login Request" stopProcessing="true">
<match url="(^|/)login(/|$)" ignoreCase="true" />
<action type="CustomResponse"
statusCode="403"
subStatusCode="0"
statusReason="Forbidden"
statusDescription="Access denied" />
</rule>
Which would result in:
HTTP Error 403.0 - Forbidden
Access denied
So for those of you who see this protocol error, don’t forget to check your blocking / rules!
