Why isn't IIS 7 returning JSON faults? Works on *my* machine

Question

I am following the principles from the following blog post and I am getting the behavior that I expect when I debug my WCF Service using the Visual Studio 2010's built in web server.

http://zamd.net/2008/07/08/error-handling-with-webhttpbinding-for-ajaxjson/

When my application throws a FaultException(), I can see the JSON representation of that fault on my local machine. The application also returns the appropriate HttpStatusCode (in this case, 401 Unauthorized), which is the desired behavior.

{"Code":"UserNotLoggedInFault","DisplayText":"You must be logged in to access this resource.","InternalText":"User is not logged in"}

When I deploy my application to IIS 7.0 though, I get the correct HttpStatusCode, but the html returned is the generic text that is associated with the status code:

You do not have permission to view this directory or page.

Because this is working locally, I assume that the issue is an IIS configuration setting. I have already removed the IIS: Error Pages values that were intercepting error statuses (it used to return formatted HTML from %SystemDrive%\inetpub\custerr\\401.htm)

Does anyone know what IIS settings I need to change to allow the JSON response to pass through when an HTTP Status outside of the 200 range is returned? ...or perhaps there is something else I need to do?

---

UPDATE #1

This only appears to be happening when my application throws a FaultException that also sets the HttpStatusCode to Unauthorized (401). If my application returns a status code of 404 Not Found, then the JSON is returned properly.

The question still stands, but I suppose it only applies to returning a 401 Unauthorized status code.

Here are some screenshots of the response as captured by Charles Web Proxy

http://imgur.com/a/MkRRI

Here is what it looks like when I hit my local machine

http://imgur.com/a/RMmsa

---

UPDATE #2

So this does not happen if I remote desktop into the server and hit the site via localhost. When I hit my URL that requires authentication, I get the proper JSON object returned.

http://i.imgur.com/J5oNn.png

So does that mean that IIS treats 401 status code differently and that non-authenticated users are shielded from the proper response?

Answer 1

We found a setting in IIS "Error pages" configuration that fixes that behavior.

You need to set the error responses to "Detailed Errors", the default is "Detail errors for local requests and custom error pages for remote requests". You can set it in your website or server-wide.

It seems that the feature decides to show the custom error page for 401 instead of giving more detail to an unauthorized client.

Just make sure that your service error handling shields the exception, otherwise the client can see a stacktrace.