I have a site where only authorizated users can access.
I also have a custom error page if a 401.2 is raised.
I configured web.config in the following way:
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" subStatusCode="-1"
path="ERRORS\unauthorized.html"
responseMode="File">
</error>
</httpErrors>
</system.webServer>
However when I try access to my site the following happen:
http://localhost --> the ERRORS\unauthorized.html is showed;
http://localhost/index.html --> the ERRORS\unauthorized.html is not showed and I can access the page!
I also noticed two things:
if I change the page to index.aspx the ERRORS\unauthorized.html is showed;
if I use a different statusCode, i.e., 404 the HTML page is showed.
so what am I not understanding? Where is my mistake?
P.S.
I'm using IIS 10 and .NET 4.7
What authentication are you using?
Assuming you are using Anonymous authentication at the IIS level and some kind of authentication in asp.net or system.web layer, the asp.net pipeline doesn't come into picture when you access the static files as they are handled by the static file handler. SO the authorization is not coming into picture. ALso try to configure the app pool to run in integrated mode and try, because integrated mode combines iis and asp.net pipeline, if youa are running in classic it won't
ALso to add another note on the line, 401.2 is a status responded back by the server that there is no user info being passed and client has to login, this doesn't necessarily have to deal with authorization and it is a way of authentication how servers work.
Related
I have a project that is running a small node.js application as a reverse proxy. Some of the requests the reverse proxy receives are directed to IIS installed on the same machine, which naturally hit IIS over localhost / 127.0.0.1.
As a result, IIS automatically returns detailed error messages in the case of an error. Naturally, the proxy sends these to the user, which is not good because they contain more information than I want external users to see. I have tried to turn off the detailed error messages by explicitly setting compilation debug="false" in web.config, but since the requests come over the localhost, IIS seems determined to return detail debug error messages.
Is there a way to disable these debug error messages from being returned even when the request is coming over localhost?
I am running Windows 2012 RS, IIS 8, .NET 4.6.
OK, I found what I needed to do to make sure that IIS never returns detailed error messages, local or not.
More details can be found here.
The short answer is: Launch IIS Manager, click on the website, under IIS go to Error Pages, right click on the pre-defined error message and select "Edit Feature Settings", and select "Custom error pages". Then define the page that you want displayed.
Alternatively, you can define your preferences in web.config under system.webServer with values such as those listed below. The "errorMode" defaults to "DetailedLocalOnly", which causes the issue I am trying to avoid. Setting to "Custom" resolves the issue.
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1"/>
<error statusCode="401" prefixLanguageFilePath="" path="/errors/401.html" responseMode="ExecuteURL"/>
</httpErrors>
I have a webpage(home.aspx) that requires Windows Authentication. If the browser automatically sends in valid credentials, then home.aspx is displayed. Otherwise, login.aspx is displayed.
In IE, I have checked off the "Prompt for User name and Password" checkbox in Internet Options > Local Intranet > Custom level > User Authentication.
I have following the steps in http://www.codeproject.com/Articles/11202/Redirecting-to-custom-page-when-quot-Access-de , and it works fine on my local development server. However, on the production server, it is a different story.
In IIS, Home.aspx has anonymous authentication disabled, and windows authentication enabled. Login.aspx has anonymous authentication enabled and windows authentication disabled.
In the development server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows.
After cancelling this dialog, login.aspx is shown. This is the correct behavior.
However, in production server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows. After cancelling this dialog, the default 401 page shows.
Does anyone what is going on the production server, and why I am not able to intercept the 401 status code and redirect to a custom web page.
In IIS 7, they added an attribute in web.config that controls the behavior of custom errors. By default, custom and detailed errors are only shown on the local browser. To show your custom errors, you need to change this in the web.config <httpErrors> element, errorMode attribute.
<configuration>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
<remove statusCode="500" />
<error statusCode="500"
prefixLanguageFilePath="C:\Contoso\Content\errors"
path="500.htm" />
</httpErrors>
</system.webServer>
</configuration>
DetailedLocalOnly is the default; other possible values are Detailed and Custom.
For more reading, here is the Microsoft article that talks about this configuration.
Aside: The article you linked is more than 10 years old, and is therefore quite suspect for "modern" development. One of the comments on the article, posted about 5 years later, points to this same problem and solution.
Coldfusion is currently handling *.cfm and *.html pages. If I request a non-existing page, such as www.example.com/sadfasdfasd.cfm, IIS still passes the request off to the Coldfusion handler instead of directing to the IIS 404 error page. The Coldfusion handler responds with the Debugger page stating that the file is not found. How can I get IIS to check if a file exists before passing it to the handler. If it doesn't exist, I'd like it to display the 404 error page. Currently my error pages are setup to provide detailed errors for both local and remote.
If you go into IIS and turn off detailed error messages, it will display the IIS error rather than letting coldfusion handle it.
If you have access to the IIS Manager, go to the site > Error pages > "edit feature" on the right side. There is probably equivalent code you can put into your web.config file to handle this too.
You can choose any of the other options depending on your needs.
Please note this is also the feature that allows you to see the coldfusion errors from coldfusion's debugger.
Try adding an httpErrors entry to your root web.config file as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="404.html" responseMode="File" />
</httpErrors>
</system.webServer>
</configuration>
Your custom 404.html page should also reside in the root folder.
I'm testing an IIS 7.5 site with Managed Pipeline Mode = 'Integrated'
My site targets mobile devices and leverages well formed URLs to pass parameters with a minimum of typing. For example 'mysite.com/bob1234' in this case 'bob1234' is actually parameter.
In the Application.BeginRequest, I process the Request.Url.AbsolutePath using a regular expression to determine if the URL is well formed.
I wanted to add a Custom 404 page, if a user mistypes the URL i.e. mysite.com/boob1234.
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/MobileError.aspx">
<error statusCode="404" redirect="404.htm"/>
</customErrors>
</system.web>
And while this catches errors when the extension is '.aspx', it does not catch 404(s) when no handler is mapped, for example '/mysite.com/boob1234'.
I followed the instructions and also added a element to my system.webserver
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<httpErrors defaultResponseMode="Redirect" errorMode="DetailedLocalOnly">
<remove statusCode="404" subStatusCode="-1"/>
<error statusCode="404" prefixLanguageFilePath=""
path="/mobile/MobileError.aspx" responseMode="ExecuteURL"/>
</httpErrors>
</system.webServer>
But no iteration of this seems to work. When I uncomment the block, I get a 500 error. And no, there doesn't seem to be any problem with my code. I get a 500 error, even when I just forward to an plain HTML Page.
I did implement failed request tracing to see what I could see.
I get the expected: 404 thrown by IIS Web Core.
Then a few steps later the CustomerErrorModule starts, but it fails with a 500 error. The detailed message is
ConfigExceptionInfo:
\?\C:.....\MyApp\web.config ( 89)
:This configuration section cannot be
used at this path. This happens when
the section is locked at a parent
level. Locking is either by default
(overrideModeDefault="Deny"), or set
explicitly by a location tag with
overrideMode="Deny" or the legacy
allowOverride="false".
I've tried walking up the '.config' stack, and haven't found any references to overrideMode="Deny"
Any help would be awesome. Totally stuck now.
Thanks:
Dylan
This has to do with the lifecycle of a request within IIS. In your case where there is no handler mapped, the 404 is recognized before the ASP dlls are even called into play. For items that are not explicitly identified in IIS as requiring Asp.Net, the IIS 404 error will fire and ignore any directives within Asp.Net. Even if a wild-card is applied to the all extensions, this wild-card is only called if IIS does not detect a 404 first. This includes directories and all file extensions not handled explicitly by .Net. So if you attempt to go to http://mydomain.com/images/someimage.gif and that file does not exist, you will not receive a .Net 404 error handler. If you change .gif to .aspx the handler will subsequently fire. The only method I have seen that adequately responds to this is to change all of your 404 handlers within IIS to redirect to a URL file on your local site. It will pass an aspxerror querystring, but if you put a ?error= in your url declaration, you will be able to add specific information.
One other thing I tried, though I'm not sure I tried it correctly, is reassigning the mapping for the file within IIS. We defined that Asp.Net should handle all requests for .gif at one point. The problem I had is that an image didn't come out, a Base64 encoding (I think?) text came out. Being under a deadline I did not pursue this as the simpler solution was to use the IIS custom errors mappings.
Have your tried unlocking the configuration section in the applicationhost.config?
<location path="example.net" overrideMode="Allow">
<system.webServer>
<httpErrors>
</httpErrors>
</system.webServer>
</location>
Reference: http://learn.iis.net/page.aspx/124/introduction-to-applicationhostconfig/#Locking
Just a stab in the dark, try adding this attribute to the httpErrors element:
existingResponse="PassThrough"
For example:
<httpErrors existingResponse="PassThrough"
defaultResponseMode="Redirect"
errorMode="DetailedLocalOnly">
My ASP.NET 2.0 web app includes a web service, which throws various exceptions along with custom error messages (e.g. "You do not have access to this item" etc.). These are shown on screen, in a ASP.NET AJAX callback handler.
The rest of the app is covered by some custom error pages, specified in the usual way in web.config.
<customErrors mode="RemoteOnly" defaultRedirect="Error.html">
<error statusCode="404" redirect="NotFound.html" />
<error statusCode="403" redirect="NoAccess.html" />
</customErrors>
My problem is if I have customErrors enabled in web.config, I lose my error messages returned from the web service - instead they are replaced with
"There was an error processing the request" - which isn't very useful for either me or the users.
Is there a way to turn off custom errors for just the web service?
Put your web service into separate directory and put additional web.config file in this directory. Each directory can have it own web.config containing settings of this directory (and directories inside this directory).
Yes, the custom errors element
can be defined at any level in the application file hierarchy.
So provided your WebService is in a folder you can add a web.config for that folder and turn them off.