Tuesday, July 28, 2009

Handling 401 (Access Denied) errors with ASP.NET

Handling 401 (Access Denied) errors are easy to handle in ASP.NET. The reason is that it is a simple configuration that can be made at the IIS level, not at the code level.

While it is true you can get to the Request.Status or Request.StatusCode in your Global.asax file. You can also do a Server.Transfer() or Response.Redirect() on your master page. There are lots of ways to handle this. The problem is that if you want to distinguish between 401.1, 401.2, 401.3… 401.7 it is best to use the solution presented here.

Here is a good list of the HTTP Codes. For reference, here is what it says about the 401 codes.

401 - Access denied. IIS defines several different 401 errors that indicate a more specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:
401.1 - Logon failed.
401.2 - Logon failed due to server configuration.
401.3 - Unauthorized due to ACL on resource.
401.4 - Authorization failed by filter.
401.5 - Authorization failed by ISAPI/CGI application.
401.7 – Access denied by URL authorization policy on the Web server.

I recommend replacing 401.1 and 401.2 standard files in IIS with your own. This will cause the standard 401.1. and 401.2 pages to not be displayed and instead your custom files be shown to the end user. 401.1 is what the user will get if they click the Cancel button on the authentication prompt. 401.2 is what they will get if they actually have bad username and password for three attempts.

The first thing we need to do is create a new web site or create a virtual directory inside a web site. This is the location were we will save our custom access denied files. In theory you could do this in the same location as your web application, but I like to use the same 401.1 and 401.2 files for all my applications. That way there is less configuration when I deploy a new application to a server.

  1. Make sure Anonymous is enabled under the Directory Security tab.
  2. Navigate in Windows Explorer to the directory and files.
  3. Right-click the directory, choose Properties.
  4. Go to the Security tab and make sure the IIS_WPG group has Read permissions.

To setup your web site (your ASP.NET application) just do the following:

  1. Open up Internet Information Services (IIS) Manager.
  2. Expand Web Sites in the tree view
  3. Right-click on your website or virtual directory and choose the Properties menu item.
  4. Go to the Custom Errors tab as shown below.


  5. Click on 401.1 line and click the Edit… button.
  6. You will see a window titled Edit Custom Error Properties.
  7. Select File from Message type drop down list.
  8. Use the Browse… button to select the access denied page that resides in the anonymous web site we set up.
  9. The window should look something like this.
  10. Do the same thing for the 401.2 item.

Now when a user would normally get the generic 401.1 or 401.2 pages, they will now get your custom pages.

1 comment:

Anonymous said...

tried it in iis6, if the page which has restricted permissions on it is a .aspx page, the IIS custom error message is never called.