I have an ASP.NET MVC3 application with Windows Authentication deployed in IIS6. When an authenticated user clicks on a link that they are not allowed to view, they are prompted to enter their username and password (in the browser dialog box, not on the page), as expected.
However, after clicking Cancel or entering invalid credentials three times, instead of seeing the page 401 Unauthorized Page, I see a blank white page.
Looking at Fiddler, after clicking Cancel, there are three requests / responses. Following are summaries of answers and headings:
Access to ASP.NET is denied (401.2)
HTTP / 1.1 401 Unauthorized Date: Fri, Jul 20, 2012 2:34:21 PM GMT Server: Microsoft-IIS / 6.0 WWW authentication: negotiation WWW authentication: NTLM X-Powered-By: ASP.NET X-AspNet version: 4.0.30319 Cache-Control: private Content-Type: text / html; Encoding = UTF-8 Content Length: 1701 Proxy Support: Session-Based Authentication
IIS You do not have permission to view this page (401.1)
HTTP / 1.1 401 Unauthorized Content Length: 1539 Content-Type: text / html Server: Microsoft-IIS / 6.0 WWW Authentication: NTLM TlRMTVNTUAACAAAADAAMADgAAAAF ... (omitted for brevity) X-Powered-By: ASP.NET Date: Fri , Jul 20, 2012 2:34:21 PM GMT Proxy Support: Session-Based Authentication
Empty response
HTTP / 1.1 401 Unauthorized Date: Fri, Jul 20, 2012 2:34:21 PM GMT Server: Microsoft-IIS / 6.0 WWW authentication: negotiation WWW authentication: NTLM X-Powered-By: ASP.NET X-AspNet version: 4.0.30319 X-AspNetMvc Version: 3.0 Cache-Control: Private Content Length: 0 Proxy Support: Session-Based Authentication
How to do this to display a page with error 401?
Update 1:
Here is my web.config error section.
<customErrors mode="RemoteOnly" defaultRedirect="~/Error" />
I also use HandleErrorAttribute .
I suspect that IIS returns a blank page, not ASP.NET, but I'm not sure how to prove it.
Update 2:
It is interesting. If I refresh a blank page, I see an ASP.NET failure message.
jrummell
source share