StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PORedirecting Windows Authentication to a custom 401 page
text
Body
copied!<p>We are converting some of our web applications that used to run under forms authentication, to now run as windows authentication. I want to recreate the page security that forms authentication had with minimum modification to the actual pages. I was able to recreate the effect I want, with a simplified web app. I am running the app on Server 2008 R2 integrated pipeline IIS 7.5.</p> <p>I created a simple 3 page app using windows authentication. The three pages are:</p> <ul> <li>Openpage.aspx, that is open to any authenticated user</li> <li>Blockedpage.aspx that is blocked to all users (symbolic of a directory or page that would be blocked to a subset of users based on user role)</li> <li>ErrorPage.aspx,if blockedpage.aspx is accessed (and rejected) the application should forward to ErrorPage.aspx where the user gets generic information about the application.</li> </ul> <p>The Web.Config for the app:</p> <pre><code><configuration> <system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Windows"/> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> <location path="blockedpage.aspx"> <system.web> <authorization> <deny users="*"/> </authorization> </system.web> </location> <system.webServer> <httpErrors errorMode="Custom" > <remove statusCode="401" subStatusCode="-1" /> <error statusCode="401" path="/development/simplesecurityapp/errorpage.aspx" responseMode="ExecuteURL" /> </httpErrors> <validation validateIntegratedModeConfiguration="false" /> <defaultDocument> <files> <clear /> <add value="openpage.aspx" /> </files> </defaultDocument> </system.webServer> </configuration> </code></pre> <p>(If I don’t attempt to redirect the 401 errors at the asp.net level, I just get the standard “not authorized message” which is not the effect I want to give my users.)</p> <p>However, I am getting an error that I don’t understand – every time the server resets, the app stops working. IIS simply returns 401 errors until the browser pops up a manual log-in control, which cannot be satisfied. (I never want my users to be presented with the browser log-in prompt)</p> <p>However, if I replace the httperrors section once the application is set up (either by editing the web config, or updating it with the server GUI) removing the section, accessing the page, and then adding the section back, the application starts to work as expected, and continues to until the server is rebooted, at which time it starts giving users the manual login pop-up again, which they cannot resolve.</p> <p>1) Is this the correct way to secure an app with windows authentication (is there a better way to configure a directory inaccessible like in forms, yet still supply a custom error page?)</p> <p>2) Is this an effect of the integrated pipeline and why is it working this way?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload