Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASP.Net 401 redirect -- Is there an accepted method?

Posted on 2008-11-06
16
Medium Priority
?
1,198 Views
Last Modified: 2011-10-19
One of the tasks I'm assigned on one of our websites to gracefully handle users who are not members of the appropriate AD group.  They should (somehow) get a message to the effect:
You do not have rights to this application.  If you believe you should have rights, please contact So and So.

We're using Windows authentication ... so in Web.Config I've changed from
    <authorization>
      <allow users="*" />

    </authorization>
to
    <authorization>
      <allow roles="MyDomain\MyADGroupName"/>
            <deny users="?"/>
    </authorization>

with a Location block
            <location path="SecurityError.aspx">
                  <system.web>
                        <authorization>
                              <allow users="*"/>
                        </authorization>
                  </system.web>
         </location>


Navigating directly to SecurityError.aspx works -- glad SOMETHING does.

But after entering credentials that are for a user who lacks rights, I get through to the other pages ... which then blow up when they try to access the DB.

Having carefully read http://www.codeproject.com/KB/aspnet/Custon401Page.aspx , I added the following to my Global.asax.vb:
    Protected Sub Application_EndRequest(ByVal sender As Object, _
        ByVal e As EventArgs) Handles MyClass.EndRequest

        'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx

        Dim context As HttpContext = HttpContext.Current
        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            context.Response.ClearContent()
            context.Response.Write("<script language=""javascript"">self.location='SecurityError.aspx';</script>")
        End If

    End Sub

That appears to have no effect.

Configuring IIS settings is an option for me ... I have to work out the settings on our DEV system & have the admins put them in when we go to PROD ... but that's fine.

But going into the Custom Errors section of the Web Application entry, I set 401.2 to redirect to SecurityError.aspx.  No better.

Another developer has told me to allow everybody in Web.Config, but check in the page whether the user is authenticated ... which sounds REALLY wrong.

So ... what is the RIGHT way to do this in ASP.Net?

Thanks!
0
Comment
Question by:Daniel Wilson
  • 11
  • 2
14 Comments
 
LVL 12

Expert Comment

by:Dimitris
ID: 22899859
Try also before the Response.ClearContent
the Response.ClearHeaders() also
also instead of response.Write("script....")
Do Response.Redirect ("UrlToGo")

I think that this may solve your issue
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22899909
like this?

    Protected Sub Application_EndRequest(ByVal sender As Object, _
        ByVal e As EventArgs) Handles MyClass.EndRequest
 
        'taken and translated from http://www.codeproject.com/KB/aspnet/Custon401Page.aspx
 
        Dim context As HttpContext = HttpContext.Current
        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            Response.ClearHeaders() 
            Response.Redirect ("UrlToGo")
            context.Response.ClearContent()
        End If
 
    End Sub

Open in new window

0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22900142
That's not working ... and neither is

        If (context.Response.Status.Substring(0, 3).Equals("401")) Then
            Response.ClearHeaders()
            context.Response.ClearContent()
            Response.Redirect("SecurityError.aspx")
        End If

Any idea where I'm going wrong now?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22961320
http://msdn.microsoft.com/en-us/library/ms972958.aspx is for a slightly different scenario ... but says:
Using the IIS Manager, right-click the WinLogin.aspx file, click Properties, and then go to the Custom Errors tab to Edit the various 401 errors and assign a custom redirection. Unfortunately, this redirection must be a static fileit will not process an ASP.NET page.

And that author shows setting all the 401-series errors to redirect to that page.

It's not working for me, though.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22963472
OK, now I've tried this in Index.aspx ... and it doesn't transfer.  I still get the DB error.

    Private Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
        If Not Me.User.IsInRole("MyDomain\MyADGroup") Then
            Server.Transfer("SecurityError.html")
        End If
    End Sub

Open in new window

0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22964112
Same w/ Response.Redirect as w/ Server.Transfer.

Any ideas, anybody?
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22970914
You say you have modified 401.2 error. 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3

As I understand the question, you have only configured permissions for DB and not the web application's NTFS-permissions on IIS/file-server. Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page..

0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22975551
Thanks for the reply, henjoh09.

>>You say you have modified 401.2 error.

I have now modified ALL the 401 errors.

>> 401.2 is authentication header error and the error code for lack of permissions (ACL-error) is 401.3

Are you saying I should change back the 401.2 to the default?

>>Change the NTFS-permissions for the web applicaiton and ensure that they have access to the folder with the custom errors to get unauthorized users to get the 401.3 page.

OK, that makes sense ... trying that ...

Authenticated Users have Read & Execute permissions on the file ... so I don't think it's NTFS.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 22975833
OK, here's what I do ... and I'm attaching a sanitized version of the IIS log:

  • I point a new IE instance to MySite\MyApplication
  • It challenges me for credentials and I input my test username & the matching password.  This account is NOT a member of the approved AD group.
  • I get back an error message where the Index.aspx page is trying to access the database.
It appears to me that no redirect is being attempted.

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2008-11-17 14:32:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 
2008-11-17 14:32:39 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/ - 80 - 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 401 2 2148074254 1306 471 320
2008-11-17 14:32:50 W3SVC657423967 AUV670 10.20.6.207 GET /MyApp/Index.aspx - 80 MyDomain\MyLogin_Test 10.20.140.124 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.1;+MS-RTC+LM+8) - - dev-MySite.MyTLD 500 0 0 18382 534 3728

Open in new window

0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 23157047
An update here ...

It redirects properly for a co-worker.  But for my test account, IIS doesn't catch the problem ... only SQL Server does.

More confused than ever ...
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 2000 total points
ID: 23287912
Sorry for the delay
As you have a 401.2, it's a "denied by server configuration" and not a NTFS-problem.
See http://support.microsoft.com/kb/907273 for troubleshooting of 401 errors including some possibly reasons for the 401.2-error.
As described in KB, it can be caused by unconfigured authentication protocol for the site or that access is done through a proxy that doesn't handle NTLM-authentication.

500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 23304211
Thanks for the reply, henjoh09.

>>500-error in log is caused by unhandled exceptions when the code is trying to access database with incorrect credentials.

Understood.  I should handle the error ... except that I'm actually trying to PREVENT that exact error.

I digging through the article you linked ... will check back in!
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 23432823
OK, I'm back to this one.  That's a good article.

Yes, 401.2 is "denied by server configuration" ...

Description

The client browser and IIS could not agree on an               authentication protocol.

Common reasons
  • No authentication protocol (including anonymous) is                         selected in IIS. At least one authentication type must be selected.                           For more information, click the following article                           number to view the article in the Microsoft Knowledge Base: 253667                       (http://support.microsoft.com/kb/253667/             )        Error message: HTTP 401.2 - Unauthorized: Logon failed due to server configuration with no authentication  
  • Only Integrated authentication is enabled, and an older,                         non-Internet Explorer client browser tries to access the site. This happens                         because the client browser cannot perform Integrated authentication. To resolve                         this problem, use one of the following methods:
    • Configure IIS to accept Basic authentication. This                                should only occur over SSL for security purposes.
    • Use a client browser that can perform Integrated                                authentication. Internet Explorer and new versions of Netscape Navigator and                                Mozilla Firefox can perform Integrated authentication.
  • Integrated authentication is through a proxy. This happens                         because the proxy doesn't maintain the NTLM-authenticated connection and thus                         sends an anonymous request from the client to the server. Options to resolve                         this problem are as follows:
    • Configure IIS to accept Basic authentication. This                                should only occur over SSL for security purposes.
    • Don't use a proxy.


I'm using IE6, so the 2nd common reason in the article doesn't apply.  And the site is using Basic Authentication.  So neither do the 1st or 2nd.

Attaching screenshot of IIS setup ... Checking more ...

BasicAuthent.GIF
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 23434199
And ... it's working.

I have removed the code from Page_PreRender and just have the IIS settings.

Thanks for the help ... I wish I could point to a particular change that got it going!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question