Integrated Directory Security

Integrated Directory Security

am 14.08.2007 19:03:04 von DUHAAS

I have a site that uses Integrated Windows Auth, the problem I am
trying to solve is, if I have a user that doesnt have access to the
site, I would prefer that the site just take him/her to the 401.1
page, instead of brining up the username/password dialog box, the
default behavior seems to be you have to hit cancel in order for the
user to realize they are not authorized. I would like them to see the
page since I have a customized page explaining what they should do.

Re: Integrated Directory Security

am 19.08.2007 04:09:14 von natemrice

On Aug 14, 10:03 am, DUHAAS wrote:
> I have a site that uses Integrated Windows Auth, the problem I am
> trying to solve is, if I have a user that doesnt have access to the
> site, I would prefer that the site just take him/her to the 401.1
> page, instead of brining up the username/password dialog box, the
> default behavior seems to be you have to hit cancel in order for the
> user to realize they are not authorized. I would like them to see the
> page since I have a customized page explaining what they should do.

Unfortunately, this is client side behavior and you can't directly
control it. Browsers authenticate in order of least secure method to
most secure method. Trying to remain as anonymous as possible. If you
allow a user to see a page anonymously they will never be challenged
for credentials and you can't check for them. If you want to check for
credentials, and the user hasn't passed them, then the browser
attempts to pass them in order to facilitate authentication. Hope this
helps.

-Nate
http://www.naterice.com/

Re: Integrated Directory Security

am 20.08.2007 14:18:13 von David Wang

On Aug 14, 10:03 am, DUHAAS wrote:
> I have a site that uses Integrated Windows Auth, the problem I am
> trying to solve is, if I have a user that doesnt have access to the
> site, I would prefer that the site just take him/her to the 401.1
> page, instead of brining up the username/password dialog box, the
> default behavior seems to be you have to hit cancel in order for the
> user to realize they are not authorized. I would like them to see the
> page since I have a customized page explaining what they should do.


The web server does exactly what you want -- the site does take the
user to the 401.1 page that you customized.

The problem is that the browser interprets the 401 page returned by
the server as "keep trying" and pops up the username/password dialog
box.

What is going on is that the web browser will show the page if the
HTTP status is 200 while it will keep popping up the username/password
dialog box if the HTTP status is 401. For "FILE" Custom Errors, IIS
will send the filename with the HTTP status code of the Custom Error -
no configuration. For "URL" Custom Errors, you get to choose the
content and the HTTP Status code. However, 401.x Custom Errors do not
allow "URL" because there is no proper user security context to
execute the "URL" to generate a response - the user is access denied,
remember?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//