peiasp
asked on
Password Change Redirection in IIS
Dear Experts Community,
Our team has been required to enable password expiration for our web applications and I am having difficulty configuring IIS to redirect users to our password change page. The essential problem is that each web server has MULTIPLE Application Pools, and the password change page ONLY seems to work when it is in the SAME pool as the application that the user with an expired password attempts to access.
So, If you access an app in the same pool, you go to the redirection page (which is a simple redirect asp, with a HTTP meta-refresh) This is working.
If you access an app from a different pool, you get the 403.18 error indicating that the the specified request cannot be executed from the current application pool
What I have hoped to do to get past this problem is to redirect the 403.18 error message. I have configured the IIS Custom Error message for 403.18 to go to a different local virtual directory using URL /passwordRedirectionNoPool
As I rolled this out to our server farm, I have found that it works on some servers, but not everywhere. On the servers where it doesn't work, we have configured the custom 403.18 error to use a local URL in a virtual directory without an apppool, but it ALWAYS goes to the default 403.18 html message instead. I can redirect the 403.18 to a static html page, but not to the redirecterror.asp page. The reason I need an .asp page is so I can redirect the user back to their intended URL when they are done changing their password. (IIS provides this in the query string) I tried the simplest .asp page I could think of. I reviewed the IIS configuration a number of times on several servers and I'm running out of things to review.
in the IIS Logs, I see an entry accessing the original page and to the redirection site with the 403.18 error, but I don't see any listing for the custom error URL afterwards
In order for this mechanism to work, I need it to work on all of our servers and all of our applications.
If anyone has any advice for settings to review, please let me know,
Best Regards,
John
Our team has been required to enable password expiration for our web applications and I am having difficulty configuring IIS to redirect users to our password change page. The essential problem is that each web server has MULTIPLE Application Pools, and the password change page ONLY seems to work when it is in the SAME pool as the application that the user with an expired password attempts to access.
So, If you access an app in the same pool, you go to the redirection page (which is a simple redirect asp, with a HTTP meta-refresh) This is working.
If you access an app from a different pool, you get the 403.18 error indicating that the the specified request cannot be executed from the current application pool
What I have hoped to do to get past this problem is to redirect the 403.18 error message. I have configured the IIS Custom Error message for 403.18 to go to a different local virtual directory using URL /passwordRedirectionNoPool
As I rolled this out to our server farm, I have found that it works on some servers, but not everywhere. On the servers where it doesn't work, we have configured the custom 403.18 error to use a local URL in a virtual directory without an apppool, but it ALWAYS goes to the default 403.18 html message instead. I can redirect the 403.18 to a static html page, but not to the redirecterror.asp page. The reason I need an .asp page is so I can redirect the user back to their intended URL when they are done changing their password. (IIS provides this in the query string) I tried the simplest .asp page I could think of. I reviewed the IIS configuration a number of times on several servers and I'm running out of things to review.
in the IIS Logs, I see an entry accessing the original page and to the redirection site with the 403.18 error, but I don't see any listing for the custom error URL afterwards
In order for this mechanism to work, I need it to work on all of our servers and all of our applications.
If anyone has any advice for settings to review, please let me know,
Best Regards,
John
Redirect.asp
<%
On Error goto 0
dim ParamString
dim username
dim prevpage
username= server.HTMLEncode(Request.ServerVariables("REMOTE_USER"))
prevpage = request.QueryString
ParamString = "?url=" & prevpage & "&username=" & username
%>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Password Redirection Page</title>
<meta http-equiv="refresh" content="0;url=https://passwordchangeserver/ChangePassword/ChangeYourPassword.aspx<%=ParamString%>" />
</head>
<body>
<H2>PASSWORD Redirection</H2>
<H2>Your password has expired. You will redirected to the password change.</H2>
<%response.Write(ParamString) %>
</body>
</html>
RedirectError.asp
<%
Response.Clear
Response.ContentType = "text/html"
Response.Expires = 0
On Error goto 0
dim ParamString
dim username
dim prevpage
dim parse
username= server.HTMLEncode(Request.ServerVariables("REMOTE_USER"))
prevpage = request.QueryString
if len(prevpage) > 0 then
parse = split(prevpage,"?")
if parse.length > 1 then
ParamString = "?url=" & parse(1) & "&username=" & username
end if
end if
%>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Password Redirection Page</title>
<meta http-equiv="refresh" content="0;url=https://PasswordChangeServer/ChangePassword/ChangeYourPassword.aspx<%=ParamString%>" />
</head>
<body>
<H2>PASSWORD Redirection Page</H2>
</body>
</html>
ASKER
Hi, ch_1969,
Thanks for the information and the links. They are helpful. It is good to know about the 301 method of redirection as well as other possibilities, however, I'm wondering if you can help me further on how I can apply them in my case.
First, perhaps I need to provide one extra piece of information. Our application/webserver security uses Basic Authentication over SSL. The only way I know how to detect if a user has an expired password (since I can't control the actual applications) and redirect the user to a change password page is to use a method using a IISADMPWD mechanism. I have set the AuthExpiredURL in the IIS metabase to redirect the user to the password redirection (redirect.asp) page. If the user actually gets this page, everything is great and they are redirected. The redirection from the META REFRESH works since it's from the client. The problem is that if you are redirected from a different app pool, the IIS code does not run. As far as I know, I don't have a choice on the redirection method for this mechanism.
The second need I have is to send the user back to where they came once they have created a new password. In order for this or occur, I rely on using the query string from the IIS redirection to tell me the original page.
SO, the only way I know that the user has an expired password, is to rely on this IISADMPWD method which does the initial redirection. I know I will get a 403.18 error if the redirection occurs from a different pool, so I should be able to handle that error in the redirection application, however, the URL method doesn't work as I mentioned. Even with this configuration, it just uses the default error message. As I mentioned, what is strange is that I do can set it to basic html using the 'File' configuration, however in this configuration, I don't get the querystring with the original URL.
Are there other methods in IIS to redirect users with expired passwords? How does the rest of the world handle this type of problem. Forms Based Authentication using .net and methods within our software to handle this would be nice down the road, but right now our architecture is what it is.
John
Thanks for the information and the links. They are helpful. It is good to know about the 301 method of redirection as well as other possibilities, however, I'm wondering if you can help me further on how I can apply them in my case.
First, perhaps I need to provide one extra piece of information. Our application/webserver security uses Basic Authentication over SSL. The only way I know how to detect if a user has an expired password (since I can't control the actual applications) and redirect the user to a change password page is to use a method using a IISADMPWD mechanism. I have set the AuthExpiredURL in the IIS metabase to redirect the user to the password redirection (redirect.asp) page. If the user actually gets this page, everything is great and they are redirected. The redirection from the META REFRESH works since it's from the client. The problem is that if you are redirected from a different app pool, the IIS code does not run. As far as I know, I don't have a choice on the redirection method for this mechanism.
The second need I have is to send the user back to where they came once they have created a new password. In order for this or occur, I rely on using the query string from the IIS redirection to tell me the original page.
SO, the only way I know that the user has an expired password, is to rely on this IISADMPWD method which does the initial redirection. I know I will get a 403.18 error if the redirection occurs from a different pool, so I should be able to handle that error in the redirection application, however, the URL method doesn't work as I mentioned. Even with this configuration, it just uses the default error message. As I mentioned, what is strange is that I do can set it to basic html using the 'File' configuration, however in this configuration, I don't get the querystring with the original URL.
Are there other methods in IIS to redirect users with expired passwords? How does the rest of the world handle this type of problem. Forms Based Authentication using .net and methods within our software to handle this would be nice down the road, but right now our architecture is what it is.
John
It sounds like your redirect.asp page is just not in the location where it needs to be.
It seems to me that if you place this inside each directory where the authentication is/could be taking place then it would be in the same application pool as the page that is being requested and the redirect would work and you should not have any problems.
That said, if this is not an option then ... I would expect the custom error page that you have created to work, as it does in most cases. My thought on this is similar to the redirect page ... it is probably not in the location where it needs to be to be usable under all circumstances. Can you try placing it in the root of the web server and see if it works from there? Or in its own sub folder off the root. This should get it out from under any other application definitions and make it the same call no matter where the error occurs from. Then the requests should be handled consistantly.
It seems to me that if you place this inside each directory where the authentication is/could be taking place then it would be in the same application pool as the page that is being requested and the redirect would work and you should not have any problems.
That said, if this is not an option then ... I would expect the custom error page that you have created to work, as it does in most cases. My thought on this is similar to the redirect page ... it is probably not in the location where it needs to be to be usable under all circumstances. Can you try placing it in the root of the web server and see if it works from there? Or in its own sub folder off the root. This should get it out from under any other application definitions and make it the same call no matter where the error occurs from. Then the requests should be handled consistantly.
ASKER
Hi CJ,
Thanks for the advice. Here's what occurs. If I place the redirect.asp page in the default webserver path, then I get the 403.18 error all the time, which I guess makes sense since we have Application Pools for our applications.
Again, I don't seem to be able to redirect 403.18 to a URL, but I can redirect it to a file, which makes me think that IIS is trying to do the redirection, but there is an apppool issue with the second .asp redirection.
I reviewed our test server where this mechanism worked in the first place and I found that we had only two application pools there. One in the same pool as the change password redirection page and the second in the default app pool.
At this point, I can't see another alternative. I think that I'm going to plan B. I'll write something to display a message if I don't know where the user is originating and ask them to open a new browser window. Not the best solution, but the best I can do given the Application Pool limitation.
I guess my final commentary is for other people doing this is to be wary of using the IISADMPWD mechanism if you have multiple application pools.
Thanks for reviewing this issue with me.
Thanks for the advice. Here's what occurs. If I place the redirect.asp page in the default webserver path, then I get the 403.18 error all the time, which I guess makes sense since we have Application Pools for our applications.
Again, I don't seem to be able to redirect 403.18 to a URL, but I can redirect it to a file, which makes me think that IIS is trying to do the redirection, but there is an apppool issue with the second .asp redirection.
I reviewed our test server where this mechanism worked in the first place and I found that we had only two application pools there. One in the same pool as the change password redirection page and the second in the default app pool.
At this point, I can't see another alternative. I think that I'm going to plan B. I'll write something to display a message if I don't know where the user is originating and ask them to open a new browser window. Not the best solution, but the best I can do given the Application Pool limitation.
I guess my final commentary is for other people doing this is to be wary of using the IISADMPWD mechanism if you have multiple application pools.
Thanks for reviewing this issue with me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi cj, The registry fix works! This allows the custom error to be redirected to the .asp page without the 403.19 error.
For reference to those reading the setting is the following.
HKLM\SYSTEM\CurrentControl
For reference to those reading the setting is the following.
HKLM\SYSTEM\CurrentControl
ASKER
Thanks CJ for your assistance.
If interested, here is a page that outlines the different redirects that you can implement ... http://blogs.msdn.com/david.wang/archive/2005/08/01/HOWTO_Common_URL_Redirection_Techniques_for_IIS_Summary.aspx (you might want to look into the 302 redirect).
The problem with a server side redirect, as you found out, is that it has to be a page in the same server or in the newer IIS instances, app pool.
If using the META REFRESH (or any client side redirect) you should not have to code a custom error page as the refresh should redirect to right where you want to go without throwing an error.
If you look at the ASP code for the 301 redirect you should be able to modify this and make it work for a 302 redirect ... http://www.webmasterworld.com/forum23/3432.htm