ASP.NET. Custom Page on 401 - asp.net

I have a webpage(home.aspx) that requires Windows Authentication. If the browser automatically sends in valid credentials, then home.aspx is displayed. Otherwise, login.aspx is displayed.
In IE, I have checked off the "Prompt for User name and Password" checkbox in Internet Options > Local Intranet > Custom level > User Authentication.
I have following the steps in http://www.codeproject.com/Articles/11202/Redirecting-to-custom-page-when-quot-Access-de , and it works fine on my local development server. However, on the production server, it is a different story.
In IIS, Home.aspx has anonymous authentication disabled, and windows authentication enabled. Login.aspx has anonymous authentication enabled and windows authentication disabled.
In the development server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows.
After cancelling this dialog, login.aspx is shown. This is the correct behavior.
However, in production server, on a computer that is logged in using correct credentials, home.aspx shows up. And, when the browser does not send in the credentials, Application_EndRequest is hit with a 401 status code, then the default Windows Authentication Prompt shows. After cancelling this dialog, the default 401 page shows.
Does anyone what is going on the production server, and why I am not able to intercept the 401 status code and redirect to a custom web page.

In IIS 7, they added an attribute in web.config that controls the behavior of custom errors. By default, custom and detailed errors are only shown on the local browser. To show your custom errors, you need to change this in the web.config <httpErrors> element, errorMode attribute.
<configuration>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
<remove statusCode="500" />
<error statusCode="500"
prefixLanguageFilePath="C:\Contoso\Content\errors"
path="500.htm" />
</httpErrors>
</system.webServer>
</configuration>
DetailedLocalOnly is the default; other possible values are Detailed and Custom.
For more reading, here is the Microsoft article that talks about this configuration.
Aside: The article you linked is more than 10 years old, and is therefore quite suspect for "modern" development. One of the comments on the article, posted about 5 years later, points to this same problem and solution.

Related

ASP.NET/IIS HttpErrors and access denied response

I have a site where only authorizated users can access.
I also have a custom error page if a 401.2 is raised.
I configured web.config in the following way:
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" subStatusCode="-1"
path="ERRORS\unauthorized.html"
responseMode="File">
</error>
</httpErrors>
</system.webServer>
However when I try access to my site the following happen:
http://localhost --> the ERRORS\unauthorized.html is showed;
http://localhost/index.html --> the ERRORS\unauthorized.html is not showed and I can access the page!
I also noticed two things:
if I change the page to index.aspx the ERRORS\unauthorized.html is showed;
if I use a different statusCode, i.e., 404 the HTML page is showed.
so what am I not understanding? Where is my mistake?
P.S.
I'm using IIS 10 and .NET 4.7
What authentication are you using?
Assuming you are using Anonymous authentication at the IIS level and some kind of authentication in asp.net or system.web layer, the asp.net pipeline doesn't come into picture when you access the static files as they are handled by the static file handler. SO the authorization is not coming into picture. ALso try to configure the app pool to run in integrated mode and try, because integrated mode combines iis and asp.net pipeline, if youa are running in classic it won't
ALso to add another note on the line, 401.2 is a status responded back by the server that there is no user info being passed and client has to login, this doesn't necessarily have to deal with authorization and it is a way of authentication how servers work.

Redirect user to html page from asp login control when no internet connection

I am using the application cache to save pages offline and have set a FALLBACK: so that, if the user accesses any page on my site which isn't in the appcache, they are redirected to Home.html. The only point at which this doesn't work is if the user has the Login.aspx page open before they lose connection. If they then select the login button they are sent to the standard 'There is no internet connection' page rather than my Home.html page.
Can I get the login button to send the user to my Home.html page when they have no internet connection? I am using a standard asp login control on my login page. I tried setting the following in system.web in my web.config file:
<customErrors defaultRedirect="Home.html" mode="On">
</customErrors>
but that seemed to have no effect. Does anyone know of a way I can do this?
You cannot use Application Cache to support fallback behavior for the login control. The login control issues an HTTP POST, and only HTTP GET is supported.
You could write your own login page that uses a GET, but that means the user name and password would show up in the URL, which is not a very good idea, even over HTTPS.
Perhaps you could issue the login request within an iFrame, or using AJAX, and use Javascript to navigate to the fallback page if it fails.
By the way, application cache support has been deprecated, so maybe you should move away from this solution.
<customErrors mode="On" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="~/Views/Shared/Error.cshtml"/>
<error statusCode="500" redirect="~/Views/Shared/Error.cshtml"/>
</customErrors>
As you saw here, you can invoke the page to be redirected if these two errors occur. I hope that it helped

ASPX Login Controls work on everyone's computer except mine

I'm using VSEW 2013 and running windows 10.
I created a login page (Login.aspx) and a signup page (SignUp.aspx). I used the standard controls and did not add any code behind to them. They are out of the box controls.
What works:
Creating an account on signup.aspx page
Validating user login on Login.aspx page
On my computer, after login, it shows that I didn't log in yet. But when my friends test it, they don't have any problems with it.
Here is a drop box link to all of the files and you can test it yourself and see that it works.
https://www.dropbox.com/sh/do3f533s0hacy4x/AADuWBbIBpaxDy7SIPG9_7s6a?dl=0
Username: kyle
password 123456
However, signup.aspx works (well it won't send you an email because I didn't do that yet) so you can create your own account.
I've tried:
Verified that cookies are enables
Disabled Antivirus
Disabled Firewall
Checked Windows Defender (it's off)
Tested in Chrome, Edge, and Firefox.
Deleted all localhost cookies.
I cannot figure out why my computer won't let me log in successfully but everyone else can.
Please help me solve this problem.
Looking at your web.config, for some odd reason this section is there:
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
This section coupled with the fact that your authentication mode is set to forms:
<system.web>
<authentication mode="Forms" />
...
</system.web>
Would make it so that authentication wouldn't work at all, which is like what your describing. Try removing that first section, if you want to keep using Forms Authentication.
It's odd that this configuration would work on other computers, I can't explain that, but I would try removing that section of code where FormsAuthentication is being turned off and see if that helps.

ASP.NET disable debug error messages on localhost

I have a project that is running a small node.js application as a reverse proxy. Some of the requests the reverse proxy receives are directed to IIS installed on the same machine, which naturally hit IIS over localhost / 127.0.0.1.
As a result, IIS automatically returns detailed error messages in the case of an error. Naturally, the proxy sends these to the user, which is not good because they contain more information than I want external users to see. I have tried to turn off the detailed error messages by explicitly setting compilation debug="false" in web.config, but since the requests come over the localhost, IIS seems determined to return detail debug error messages.
Is there a way to disable these debug error messages from being returned even when the request is coming over localhost?
I am running Windows 2012 RS, IIS 8, .NET 4.6.
OK, I found what I needed to do to make sure that IIS never returns detailed error messages, local or not.
More details can be found here.
The short answer is: Launch IIS Manager, click on the website, under IIS go to Error Pages, right click on the pre-defined error message and select "Edit Feature Settings", and select "Custom error pages". Then define the page that you want displayed.
Alternatively, you can define your preferences in web.config under system.webServer with values such as those listed below. The "errorMode" defaults to "DetailedLocalOnly", which causes the issue I am trying to avoid. Setting to "Custom" resolves the issue.
<httpErrors errorMode="Custom">
<remove statusCode="401" subStatusCode="-1"/>
<error statusCode="401" prefixLanguageFilePath="" path="/errors/401.html" responseMode="ExecuteURL"/>
</httpErrors>

Why is IIS 7 showing me a default 403 page?

I have setup an asp.net 4.0 site where if someone tries to access an authorized area they get redirected to a SignIn page and the status is set to 403.
On my local machine it redirects to the SignIn page with the 403 status. On IIS 7 I get a nasty 403 Forbidden page instead of the SignIn page.
How can I get it to work on IIS 7 like it does on my Local?
IIS has default pages for all the HTTP error codes. You can override these in IIS to redirect to your own page.
IIS also recognizes the ASP.NET tag in the web.config file and uses that first if it's available, so you will need to setup your custom errors tags as follows:
<customErrors defaultRedirect="defaultError.aspx" mode="On">
<error statusCode="403" redirect="my403page.aspx"/>
</customErrors>
Hope this is what you're after. You can also use forms authentication in ASP.NET to achieve this, it uses cookies but works quite well with the scenario you described, unless you specifically need them to be redirected to a 403 page.
By "nasty" it sounds like you mean that IIS is throwing up its default 403 err message page. You could set the custom 403 error in IIS to redirect the user to your friendly signin page.
Not sure that's the best design, necessarily, but it probably would solve your problem based on how you've explained it...
I would check to make sure the authentication settings in your web.config file are the same in both environments.
EDIT
You might also be running into a problem with the anonymous authentication identity. I've run into this issue myself when first moving a site to IIS7. MSDN has a page the runs through your possible options.

Resources