Search code examples
c#asp.netaccess-deniedhttp-status-code-401httpexception

Forcing a custom HTTP 401 unauthorized page in ASP.NET


I've written a web application for internal use at work (not for the wider internet) that makes use of Windows authentication - ASP.NET interrogating Windows for the current set of credentials. An authentication method called from the Page_PreInit of protected pages throws a 401 error if the username is not found in an AD group I've set up.

I implemented Earlz' CustomErrorsFixer from Throwing an HttpException always sends back HTTP 500 error? as I too was only getting 500s back. Now my custom error pages are working, which is great.

Developing locally in Visual Studio development server, I've found that if I do not have access, I just go straight to the 401 error page. However! When I publish the site to an IIS server, if the user doesn't have access they get a Windows username/password prompt (the ugly, small one in XP). This is actually quite handy because it gives people who are logged onto a different domain a chance to enter the correct credentials.

At this stage, when the password prompt comes up, if the user hits Cancel or Escape, they go to the custom 401 page, which tells them how to go about requesting access. IF however they try to enter a username and password, which defaults to the wrong domain and are therefore incorrect credentials, they are shown the default IIS 401 page, which I'm very keen to avoid. Third scenario - if they enter CORRECT credentials, they are asked 3 times, and then shown the custom error page.

So, users see the custom 401 page if they are "authenticated", and the standard IIS one if they are not.

However, I've been finding that most people when prompted with a username/password box just enter the username/password without domain - which ends up being incorrect and therefore sending them to the non-custom IIS 401 page. Does anyone know how I can solve this? It's extremely annoying, because people need to see the custom 401 page in order to see which group they need to request access to!

In case it matters, the browser we all use is IE8 on XP or IE9 on Windows 7. Please let me know if I should post any code up.


Solution

  • IIS7 intercepts the 401 along with a few other HTTP status code by default.

    Try this:

    <configuration>
      <system.webServer>
        <httpErrors existingResponse="PassThrough" />
      </system.webServer>
    </configuration>