Daniel Wilson
asked on
ASP.Net 401 redirect -- Is there an accepted method?
One of the tasks I'm assigned on one of our websites to gracefully handle users who are not members of the appropriate AD group. They should (somehow) get a message to the effect:
You do not have rights to this application. If you believe you should have rights, please contact So and So.
We're using Windows authentication ... so in Web.Config I've changed from
<authorization>
<allow users="*" />
</authorization>
to
<authorization>
<allow roles="MyDomain\MyADGroupN ame"/>
<deny users="?"/>
</authorization>
with a Location block
<location path="SecurityError.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Navigating directly to SecurityError.aspx works -- glad SOMETHING does.
But after entering credentials that are for a user who lacks rights, I get through to the other pages ... which then blow up when they try to access the DB.
Having carefully read http://www.codeproject.com/KB/aspnet/Custon401Page.aspx , I added the following to my Global.asax.vb:
Protected Sub Application_EndRequest(ByV al sender As Object, _
ByVal e As EventArgs) Handles MyClass.EndRequest
'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
Dim context As HttpContext = HttpContext.Current
If (context.Response.Status.S ubstring(0 , 3).Equals("401")) Then
context.Response.ClearCont ent()
context.Response.Write("<s cript language=""javascript"">se lf.locatio n='Securit yError.asp x';</scrip t>")
End If
End Sub
That appears to have no effect.
Configuring IIS settings is an option for me ... I have to work out the settings on our DEV system & have the admins put them in when we go to PROD ... but that's fine.
But going into the Custom Errors section of the Web Application entry, I set 401.2 to redirect to SecurityError.aspx. No better.
Another developer has told me to allow everybody in Web.Config, but check in the page whether the user is authenticated ... which sounds REALLY wrong.
So ... what is the RIGHT way to do this in ASP.Net?
Thanks!
You do not have rights to this application. If you believe you should have rights, please contact So and So.
We're using Windows authentication ... so in Web.Config I've changed from
<authorization>
<allow users="*" />
</authorization>
to
<authorization>
<allow roles="MyDomain\MyADGroupN
<deny users="?"/>
</authorization>
with a Location block
<location path="SecurityError.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Navigating directly to SecurityError.aspx works -- glad SOMETHING does.
But after entering credentials that are for a user who lacks rights, I get through to the other pages ... which then blow up when they try to access the DB.
Having carefully read http://www.codeproject.com/KB/aspnet/Custon401Page.aspx , I added the following to my Global.asax.vb:
Protected Sub Application_EndRequest(ByV
ByVal e As EventArgs) Handles MyClass.EndRequest
'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
Dim context As HttpContext = HttpContext.Current
If (context.Response.Status.S
context.Response.ClearCont
context.Response.Write("<s
End If
End Sub
That appears to have no effect.
Configuring IIS settings is an option for me ... I have to work out the settings on our DEV system & have the admins put them in when we go to PROD ... but that's fine.
But going into the Custom Errors section of the Web Application entry, I set 401.2 to redirect to SecurityError.aspx. No better.
Another developer has told me to allow everybody in Web.Config, but check in the page whether the user is authenticated ... which sounds REALLY wrong.
So ... what is the RIGHT way to do this in ASP.Net?
Thanks!
ASKER
like this?
Protected Sub Application_EndRequest(ByVal sender As Object, _
ByVal e As EventArgs) Handles MyClass.EndRequest
'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
Dim context As HttpContext = HttpContext.Current
If (context.Response.Status.Substring(0, 3).Equals("401")) Then
Response.ClearHeaders()
Response.Redirect ("UrlToGo")
context.Response.ClearContent()
End If
End Sub
ASKER
That's not working ... and neither is
If (context.Response.Status.S ubstring(0 , 3).Equals("401")) Then
Response.ClearHeaders()
context.Response.ClearCont ent()
Response.Redirect("Securit yError.asp x")
End If
Any idea where I'm going wrong now?
If (context.Response.Status.S
Response.ClearHeaders()
context.Response.ClearCont
Response.Redirect("Securit
End If
Any idea where I'm going wrong now?
ASKER
http://msdn.microsoft.com/en-us/library/ms972958.aspx is for a slightly different scenario ... but says:
It's not working for me, though.
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the Custom Errors tab to Edit the various 401 errors and assign a custom redirection. Unfortunately, this redirection must be a static fileit will not process an ASP.NET page.
And that author shows setting all the 401-series errors to redirect to that page.It's not working for me, though.
ASKER
OK, now I've tried this in Index.aspx ... and it doesn't transfer. I still get the DB error.
Private Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
If Not Me.User.IsInRole("MyDomain\MyADGroup") Then
Server.Transfer("SecurityError.html")
End If
End Sub
ASKER
Same w/ Response.Redirect as w/ Server.Transfer.
Any ideas, anybody?
Any ideas, anybody?
You say you have modified 401.2 error. 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3
As I understand the question, you have only configured permissions for DB and not the web application's NTFS-permissions on IIS/file-server. Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page..
As I understand the question, you have only configured permissions for DB and not the web application's NTFS-permissions on IIS/file-server. Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page..
ASKER
Thanks for the reply, henjoh09.
>>You say you have modified 401.2 error.
I have now modified ALL the 401 errors.
>> 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3
Are you saying I should change back the 401.2 to the default?
>>Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page.
OK, that makes sense ... trying that ...
Authenticated Users have Read & Execute permissions on the file ... so I don't think it's NTFS.
>>You say you have modified 401.2 error.
I have now modified ALL the 401 errors.
>> 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3
Are you saying I should change back the 401.2 to the default?
>>Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page.
OK, that makes sense ... trying that ...
Authenticated Users have Read & Execute permissions on the file ... so I don't think it's NTFS.
ASKER
OK, here's what I do ... and I'm attaching a sanitized version of the IIS log:
- I point a new IE instance to MySite\MyApplication
- It challenges me for credentials and I input my test username & the matching password. This account is NOT a member of the approved AD group.
- I get back an error message where the Index.aspx page is trying to access the database.
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2008-11-17 14:32:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2008-11-17 14:32:39 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/ - 80 - 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 401 2 2148074254 1306 471 320
2008-11-17 14:32:50 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/Index.aspx - 80 MyDomain\MyLogin_Test 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 500 0 0 18382 534 3728
ASKER
An update here ...
It redirects properly for a co-worker. But for my test account, IIS doesn't catch the problem ... only SQL Server does.
More confused than ever ...
It redirects properly for a co-worker. But for my test account, IIS doesn't catch the problem ... only SQL Server does.
More confused than ever ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the reply, henjoh09.
>>500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.
Understood. I should handle the error ... except that I'm actually trying to PREVENT that exact error.
I digging through the article you linked ... will check back in!
>>500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.
Understood. I should handle the error ... except that I'm actually trying to PREVENT that exact error.
I digging through the article you linked ... will check back in!
ASKER
OK, I'm back to this one. That's a good article.
Yes, 401.2 is "denied by server configuration" ...
I'm using IE6, so the 2nd common reason in the article doesn't apply. And the site is using Basic Authentication. So neither do the 1st or 2nd.
Attaching screenshot of IIS setup ... Checking more ...
BasicAuthent.GIF
Yes, 401.2 is "denied by server configuration" ...
Description
The client browser and IIS could not agree on an authentication protocol.
Common reasons
The client browser and IIS could not agree on an authentication protocol.
Common reasons
- No authentication protocol (including anonymous) is selected in IIS. At least one authentication type must be selected. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 253667 (http://support.microsoft.com/kb/253667/ ) Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication
- Only Integrated authentication is enabled, and an older, non-Internet Explorer client browser tries to access the site. This happens because the client browser cannot perform Integrated authentication. To resolve this problem, use one of the following methods:
-
- Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
- Use a client browser that can perform Integrated authentication. Internet Explorer and new versions of Netscape Navigator and Mozilla Firefox can perform Integrated authentication.
- Integrated authentication is through a proxy. This happens because the proxy doesn't maintain the NTLM-authenticated connection and thus sends an anonymous request from the client to the server. Options to resolve this problem are as follows:
-
- Configure IIS to accept Basic authentication. This should only occur over SSL for security purposes.
- Don't use a proxy.
I'm using IE6, so the 2nd common reason in the article doesn't apply. And the site is using Basic Authentication. So neither do the 1st or 2nd.
Attaching screenshot of IIS setup ... Checking more ...
BasicAuthent.GIF
ASKER
And ... it's working.
I have removed the code from Page_PreRender and just have the IIS settings.
Thanks for the help ... I wish I could point to a particular change that got it going!
I have removed the code from Page_PreRender and just have the IIS settings.
Thanks for the help ... I wish I could point to a particular change that got it going!
the Response.ClearHeaders() also
also instead of response.Write("script....
Do Response.Redirect ("UrlToGo")
I think that this may solve your issue