Solved

Password Change Redirection in IIS

Posted on 2009-06-29
7
928 Views
Last Modified: 2012-06-27
Dear Experts Community,

     Our team has been required to enable password expiration for our web applications and I am having difficulty configuring IIS to redirect users to our password change page.   The essential problem is that each web server has MULTIPLE Application Pools, and the password change page ONLY seems to work when it is in the SAME pool as the application that the user with an expired password attempts to access.  

So, If you access an app in the same pool, you go to the redirection page (which is a simple redirect asp, with a HTTP meta-refresh) This is working.

If you access an app from a different pool, you get the 403.18 error indicating that the the specified request cannot be executed from the current application pool

      What I have hoped to do to get past this problem is to redirect the 403.18 error message.   I have configured the IIS Custom Error message for 403.18 to go to a different local virtual directory using URL /passwordRedirectionNoPool/redirectError.asp

    As I rolled this out to our server farm, I have found that it works on some servers, but not everywhere.  On the servers where it doesn't work, we have configured the custom 403.18 error to use a local URL in a virtual directory without an apppool, but it ALWAYS goes to the default 403.18 html message instead.  I can redirect the 403.18 to a static html page, but not to the redirecterror.asp page.   The reason I need an .asp page is so I can redirect the user back to their intended URL when they are done changing their password. (IIS provides this in the query string)  I tried the simplest .asp page I could think of.   I reviewed the IIS configuration a number of times on several servers and I'm running out of things to review.

in the IIS Logs, I see an entry accessing the original page and to the redirection site with the 403.18 error, but I don't see any listing for the custom error URL afterwards

   In order for this mechanism to work, I need it to work on all of our servers and all of our applications.  

   If anyone has any advice for settings to review, please let me know,

   Best Regards,

   John

Redirect.asp
 

<%

On Error goto 0

dim ParamString

dim username 

dim prevpage
 

username= server.HTMLEncode(Request.ServerVariables("REMOTE_USER"))

prevpage = request.QueryString

ParamString = "?url=" & prevpage & "&username=" & username

%>
 

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Password Redirection Page</title>

 <meta http-equiv="refresh" content="0;url=https://passwordchangeserver/ChangePassword/ChangeYourPassword.aspx<%=ParamString%>" /> 

</head>

<body>

<H2>PASSWORD Redirection</H2>

<H2>Your password has expired. You will redirected to the password change.</H2>

<%response.Write(ParamString) %>

</body>

</html>
 

RedirectError.asp
 

<%

    Response.Clear

    Response.ContentType = "text/html"

    Response.Expires = 0
 

On Error goto 0

dim ParamString

dim username 

dim prevpage

dim parse
 

username= server.HTMLEncode(Request.ServerVariables("REMOTE_USER"))

prevpage = request.QueryString
 

if len(prevpage) > 0 then

  parse = split(prevpage,"?")

  if parse.length > 1 then

    ParamString = "?url=" & parse(1) & "&username=" & username

  end if

end if
 

%>
 

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Password Redirection Page</title>

 <meta http-equiv="refresh" content="0;url=https://PasswordChangeServer/ChangePassword/ChangeYourPassword.aspx<%=ParamString%>" /> 

</head>

<body>
 

<H2>PASSWORD Redirection Page</H2>

 

 </body>

</html>

Open in new window

0
Comment
Question by:peiasp
  • 4
  • 3
7 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 24744539
If you are using a META REFRESH you should not have any problems as this is completely handled on the client side and it is just a matter of building the page with the correct code to make it go where you want it to go.

If interested, here is a page that outlines the different redirects that you can implement ... http://blogs.msdn.com/david.wang/archive/2005/08/01/HOWTO_Common_URL_Redirection_Techniques_for_IIS_Summary.aspx  (you might want to look into the 302 redirect).

The problem with a server side redirect, as you found out, is that it has to be a page in the same server or in the newer IIS instances, app pool.

If using the META REFRESH (or any client side redirect) you should not have to code a custom error page as the refresh should redirect to right where you want to go without throwing an error.

If you look at the ASP code for the 301 redirect you should be able to modify this and make it work for a 302 redirect ... http://www.webmasterworld.com/forum23/3432.htm
0
 

Author Comment

by:peiasp
ID: 24746014
Hi, ch_1969,  

Thanks for the information and the links.  They are helpful.  It is good to know about the 301 method of redirection as well as other possibilities, however, I'm wondering if you can help me further on how I can apply them in my case.

First, perhaps I need to provide one extra piece of information.  Our application/webserver security uses Basic Authentication over SSL.  The only way I know how to detect if a user has an expired password (since I can't control the actual applications) and redirect the user to a change password page is to use a method using a IISADMPWD mechanism.   I have set the AuthExpiredURL in the IIS metabase to redirect the user to the password redirection (redirect.asp) page.    If the user actually gets this page, everything is great and they are redirected.  The redirection from the META REFRESH works since it's from the client.  The problem is that if you are redirected from a different app pool, the IIS code does not run. As far as I know, I don't have a choice on the redirection method for this mechanism.

The second need I have is to send the user back to where they came once they have created a new password.  In order for this or occur, I rely on using the query string from the IIS redirection to tell me the original page.

SO, the only way I know that the user has an expired password, is to rely on this IISADMPWD method which does the initial redirection.  I know I will get a 403.18 error if the redirection occurs from a different pool, so I should be able to handle that error in the redirection application, however, the URL method doesn't work as I mentioned.  Even with this configuration, it just uses the default error message.   As I mentioned, what is strange is that I do can set it to basic html using the 'File' configuration, however in this configuration, I don't get the querystring with the original URL.

Are there other methods in IIS to redirect users with expired passwords?   How does the rest of the world handle this type of problem.  Forms Based Authentication using .net and methods within our software to handle this would be nice down the road, but right now our architecture is what it is.

John
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 24746370
It sounds like your redirect.asp page is just not in the location where it needs to be.
It seems to me that if you place this inside each directory where the authentication is/could be taking place then it would be in the same application pool as the page that is being requested and the redirect would work and you should not have any problems.

That said, if this is not an option then ... I would expect the custom error page that you have created to work, as it does in most cases.  My thought on this is similar to the redirect page ... it is probably not in the location where it needs to be to be usable under all circumstances.  Can you try placing it in the root of the web server and see if it works from there?  Or in its own sub folder off the root.  This should get it out from under any other application definitions and make it the same call no matter where the error occurs from.  Then the requests should be handled consistantly.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:peiasp
ID: 24747622
Hi CJ,

  Thanks for the advice.  Here's what occurs.  If I place the redirect.asp page in the default webserver path, then I get the 403.18 error all the time, which I guess makes sense since we have Application Pools for our applications.

   Again, I don't seem to be able to redirect 403.18 to a URL, but I can redirect it to a file, which makes me think that IIS is trying to do the redirection, but there is an apppool issue with the second .asp redirection.

   I reviewed our test server where this mechanism worked in the first place and I found that we had only two application pools there.  One in the same pool as the change password redirection page and the second in the default app pool.  

   At this point, I can't see another alternative. I think that I'm going to plan B.  I'll write something to display a message if I don't know where the user is originating and ask them to open a new browser window.  Not the best solution, but the best I can do given the Application Pool limitation.

    I guess my final commentary is for other people doing this is to be wary of using the IISADMPWD mechanism if you have multiple application pools.

     Thanks for reviewing this issue with me.
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 500 total points
ID: 24748065
0
 

Author Comment

by:peiasp
ID: 24755172
Hi cj,   The registry fix works!  This allows the custom error to be redirected to the .asp page without the 403.19 error.

For reference to those reading the setting is the following.

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\IgnoreAppPoolForCustomErrors - DWORD - value 1


 
0
 

Author Closing Comment

by:peiasp
ID: 31597986
Thanks CJ for your assistance.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now