Redirecting Windows Authentication to a custom 401 page

Question

We are converting some of our web applications that used to run under forms authentication, to now run as windows authentication. I want to recreate the page security that forms authentication had with minimum modification to the actual pages. I was able to recreate the effect I want, with a simplified web app. I am running the app on Server 2008 R2 integrated pipeline IIS 7.5.

I created a simple 3 page app using windows authentication. The three pages are:

• Openpage.aspx, that is open to any authenticated user
• Blockedpage.aspx that is blocked to all users (symbolic of a directory or page that would be blocked to a subset of users based on user role)
• ErrorPage.aspx,if blockedpage.aspx is accessed (and rejected) the application should forward to ErrorPage.aspx where the user gets generic information about the application.

The Web.Config for the app:

<configuration>
    <system.web>
        <compilation debug="true" targetFramework="4.0" />
      <authentication mode="Windows"/>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  <location path="blockedpage.aspx">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <system.webServer>
   <httpErrors errorMode="Custom" >
      <remove statusCode="401" subStatusCode="-1" />
      <error statusCode="401" path="/development/simplesecurityapp/errorpage.aspx" responseMode="ExecuteURL" />
    </httpErrors>

    <validation validateIntegratedModeConfiguration="false" />
    <defaultDocument>
      <files>
        <clear />
        <add value="openpage.aspx" />
      </files>
    </defaultDocument>
  </system.webServer>

</configuration>

(If I don’t attempt to redirect the 401 errors at the asp.net level, I just get the standard “not authorized message” which is not the effect I want to give my users.)

However, I am getting an error that I don’t understand – every time the server resets, the app stops working. IIS simply returns 401 errors until the browser pops up a manual log-in control, which cannot be satisfied. (I never want my users to be presented with the browser log-in prompt)

However, if I replace the httperrors section once the application is set up (either by editing the web config, or updating it with the server GUI) removing the section, accessing the page, and then adding the section back, the application starts to work as expected, and continues to until the server is rebooted, at which time it starts giving users the manual login pop-up again, which they cannot resolve.

1) Is this the correct way to secure an app with windows authentication (is there a better way to configure a directory inaccessible like in forms, yet still supply a custom error page?)

2) Is this an effect of the integrated pipeline and why is it working this way?

Answer 1

You're trying to provide content over a transport error message.

Forms allows you to do this because it's composed of layer 7 stuff, like 302s and 200s. 401s are interpreted by the client browser as "the server didn't like my credentials, so raise a dialog box to ask for new ones".

An authenticated page produces at least 1 401 in order to become authenticated; that you're overloading the "error" for something else is probably the root of the problem.

I'm not sure there's an elegant way of doing what you want.