IIS and Windows authentication not allowing error pages

Question

I have been trying this from last two days. I am not getting whats the problem. I searched the web but didn't find any solution. i tried all the settings of IIS like "Moving negotiate down, disable other authentication" but doesn't work. SO here is my problem: I have a intranet web application in ASP.NET which is using username and passwords stored in Active Directory. I have five different pages in my application. All the pages are stored in a separate folders with their web.config files. These web.config files have names of the users which are allowed to view that page like this.

<authorization>
<allow users="Domainname\username"/>
</authorization>

I want to redirect those users who are not in the above list to other error page with appropriate message. I used this

protected void Application_EndRequest(object sender, EventArgs e)
{

    if (HttpContext.Current.Response.Status.StartsWith("401"))
    {
        HttpContext.Current.Response.ClearContent();
        Response.Redirect("~/myerrorpage.aspx?myerrormsg=you are not allowed");
    }
}

This is working on the localhost, but when I am putting my application in IIS all the authorized users (those who are in list) are also redirecting to the error message page.

Outside of IIS, it is working correctly. However, I am not able to redirect unauthorized users to error message page. I have also tried with Error pages settings of IIS, but I'm having the same problem.

Please suggest to me what should I do to correct this. Is there is any other way to do it?

score 0 · Answer 1 · answered Jun 17 '15 at 18:21

0

I don't know for sure if this is what the issue is in you specific case, but in general, the process is:

Browser tries to connect anonymous on first connection
Web server says "sorry you can't do that, error 401, here's the ways the user can authenticate"
Browser sorts out authentication (asking user for credentials for example)
Browser makes second request, with authentication header info included

My guess is that you're failing at step (1) by catching the first 401 before the user has a chance to supply credentials. You can verify this with F12 tools or with a tool like Fiddler.

answered Jun 17 '15 at 18:21

MikeBaz - MSFT

1,253
3
15
35

Thanks mike for your reply. The problem is if I am adding custom error page or the code given above in Global.asmx, the all the authorize users are redirecting to Error page. For authorize users there is no problem. – Rebecca Jun 17 '15 at 19:00
Should I disable anonymous authentication? – Rebecca Jun 17 '15 at 19:01

score 0 · Accepted Answer · answered Jun 18 '15 at 15:24

0

if you are using Windows authentication then you should keep this in mind- If you are manually enabling windows authentication in IIS the please do not include the code below in your web.config

<authentication mode="Windows" />

if you use this, it will cause the same problem as I stated above in my question.

answered Jun 18 '15 at 15:24

Rebecca

11
1
5

Does this mean you're solved then? if so you should mark this as the answer :) – MikeBaz - MSFT Jun 18 '15 at 21:56
Thanks Mike for your help:) Actually right now it's not allowing me to mark my answer as a Answer.. I will do it tomorrow:) – Rebecca Jun 18 '15 at 22:17

IIS and Windows authentication not allowing error pages

2 Answers2