ASP.Net 401 redirect -- Is there an accepted method?

One of the tasks I'm assigned on one of our websites to gracefully handle users who are not members of the appropriate AD group.  They should (somehow) get a message to the effect:
You do not have rights to this application.  If you believe you should have rights, please contact So and So.

We're using Windows authentication ... so in Web.Config I've changed from
    <authorization>
      <allow users="*" />

    </authorization>
to
    <authorization>
      <allow roles="MyDomain\MyADGroupName"/>
            <deny users="?"/>
    </authorization>

with a Location block
            <location path="SecurityError.aspx">
                  <system.web>
                        <authorization>
                              <allow users="*"/>
                        </authorization>
                  </system.web>
         </location>


Navigating directly to SecurityError.aspx works -- glad SOMETHING does.

But after entering credentials that are for a user who lacks rights, I get through to the other pages ... which then blow up when they try to access the DB.

Having carefully read http://www.codeproject.com/KB/aspnet/Custon401Page.aspx , I added the following to my Global.asax.vb:
    Protected Sub Application_EndRequest(ByVal sender As Object, _
        ByVal e As EventArgs) Handles MyClass.EndRequest

        'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx

        Dim context As HttpContext = HttpContext.Current
        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            context.Response.ClearContent()
            context.Response.Write("<script language=""javascript"">self.location='SecurityError.aspx';</script>")
        End If

    End Sub

That appears to have no effect.

Configuring IIS settings is an option for me ... I have to work out the settings on our DEV system & have the admins put them in when we go to PROD ... but that's fine.

But going into the Custom Errors section of the Web Application entry, I set 401.2 to redirect to SecurityError.aspx.  No better.

Another developer has told me to allow everybody in Web.Config, but check in the page whether the user is authenticated ... which sounds REALLY wrong.

So ... what is the RIGHT way to do this in ASP.Net?

Thanks!
LVL 32
Daniel WilsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DimitrisSenior Solution ArchitectCommented:
Try also before the Response.ClearContent
the Response.ClearHeaders() also
also instead of response.Write("script....")
Do Response.Redirect ("UrlToGo")

I think that this may solve your issue
0
Daniel WilsonAuthor Commented:
like this?

    Protected Sub Application_EndRequest(ByVal sender As Object, _
        ByVal e As EventArgs) Handles MyClass.EndRequest
 
        'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
 
        Dim context As HttpContext = HttpContext.Current
        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            Response.ClearHeaders() 
            Response.Redirect ("UrlToGo")
            context.Response.ClearContent()
        End If
 
    End Sub

Open in new window

0
Daniel WilsonAuthor Commented:
That's not working ... and neither is

        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            Response.ClearHeaders()
            context.Response.ClearContent()
            Response.Redirect("SecurityError.aspx")
        End If

Any idea where I'm going wrong now?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Daniel WilsonAuthor Commented:
http://msdn.microsoft.com/en-us/library/ms972958.aspx is for a slightly different scenario ... but says:
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the Custom Errors tab to Edit the various 401 errors and assign a custom redirection. Unfortunately, this redirection must be a static fileit will not process an ASP.NET page.

And that author shows setting all the 401-series errors to redirect to that page.

It's not working for me, though.
0
Daniel WilsonAuthor Commented:
OK, now I've tried this in Index.aspx ... and it doesn't transfer.  I still get the DB error.

    Private Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
        If Not Me.User.IsInRole("MyDomain\MyADGroup") Then
            Server.Transfer("SecurityError.html")
        End If
    End Sub

Open in new window

0
Daniel WilsonAuthor Commented:
Same w/ Response.Redirect as w/ Server.Transfer.

Any ideas, anybody?
0
Henrik JohanssonSystems engineerCommented:
You say you have modified 401.2 error. 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3

As I understand the question, you have only configured permissions for DB and not the web application's NTFS-permissions on IIS/file-server. Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page..

0
Daniel WilsonAuthor Commented:
Thanks for the reply, henjoh09.

>>You say you have modified 401.2 error.

I have now modified ALL the 401 errors.

>> 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3

Are you saying I should change back the 401.2 to the default?

>>Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page.

OK, that makes sense ... trying that ...

Authenticated Users have Read & Execute permissions on the file ... so I don't think it's NTFS.
0
Daniel WilsonAuthor Commented:
OK, here's what I do ... and I'm attaching a sanitized version of the IIS log:

  • I point a new IE instance to MySite\MyApplication
  • It challenges me for credentials and I input my test username & the matching password.  This account is NOT a member of the approved AD group.
  • I get back an error message where the Index.aspx page is trying to access the database.
It appears to me that no redirect is being attempted.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2008-11-17 14:32:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 
2008-11-17 14:32:39 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/ - 80 - 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 401 2 2148074254 1306 471 320
2008-11-17 14:32:50 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/Index.aspx - 80 MyDomain\MyLogin_Test 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 500 0 0 18382 534 3728

Open in new window

0
Daniel WilsonAuthor Commented:
An update here ...

It redirects properly for a co-worker.  But for my test account, IIS doesn't catch the problem ... only SQL Server does.

More confused than ever ...
0
Henrik JohanssonSystems engineerCommented:
Sorry for the delay
As you have a 401.2, it's a "denied by server configuration" and not a NTFS-problem.
See http://support.microsoft.com/kb/907273 for troubleshooting of 401 errors including some possibly reasons for the 401.2-error.
As described in KB, it can be caused by unconfigured authentication protocol for the site or that access is done through a proxy that doesn't handle NTLM-authentication.

500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel WilsonAuthor Commented:
Thanks for the reply, henjoh09.

>>500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.

Understood.  I should handle the error ... except that I'm actually trying to PREVENT that exact error.

I digging through the article you linked ... will check back in!
0
Daniel WilsonAuthor Commented:
OK, I'm back to this one.  That's a good article.

Yes, 401.2 is "denied by server configuration" ...

Description

The client browser and IIS could not agree on an               authentication protocol.

Common reasons
  • No authentication protocol (including anonymous) is                         selected in IIS. At least one authentication type must be selected.                           For more information, click the following article                           number to view the article in the Microsoft Knowledge Base: 253667                       (http://support.microsoft.com/kb/253667/             )        Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication  
  • Only Integrated authentication is enabled, and an older,                         non-Internet Explorer client browser tries to access the site. This happens                         because the client browser cannot perform Integrated authentication. To resolve                         this problem, use one of the following methods:
    • Configure IIS to accept Basic authentication. This                                should only occur over SSL for security purposes.
    • Use a client browser that can perform Integrated                                authentication. Internet Explorer and new versions of Netscape Navigator and                                Mozilla Firefox can perform Integrated authentication.
  • Integrated authentication is through a proxy. This happens                         because the proxy doesn't maintain the NTLM-authenticated connection and thus                         sends an anonymous request from the client to the server. Options to resolve                         this problem are as follows:
    • Configure IIS to accept Basic authentication. This                                should only occur over SSL for security purposes.
    • Don't use a proxy.


I'm using IE6, so the 2nd common reason in the article doesn't apply.  And the site is using Basic Authentication.  So neither do the 1st or 2nd.

Attaching screenshot of IIS setup ... Checking more ...

BasicAuthent.GIF
0
Daniel WilsonAuthor Commented:
And ... it's working.

I have removed the code from Page_PreRender and just have the IIS settings.

Thanks for the help ... I wish I could point to a particular change that got it going!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.