Redirect to default page using Windows Authentication

Discussion in 'ASP .Net Security' started by Dave, Nov 18, 2003.

  1. Dave

    Dave Guest

    Hi,

    Is there a way to redirect the user to a default,
    anonymous, welcome or "splash" page for our application
    when using Windows authentication with Basic enabled?

    In other words, if a user attempts to access a secured
    page directly the first time, they will be redirected to
    the application's main entry point.

    I know this defeats the purpose of setting "Favorites"
    but we want to have updates, news, instructions, etc on
    this anonymous welcome page so the user can see this
    information. It will then have a link or button that
    states "Click here to login". Ideally, it would take
    them then to the orignal page they wanted.

    I know this can be done with Forms authentication.

    Thanks, Dave.
     
    Dave, Nov 18, 2003
    #1
    1. Advertisements

  2. Dave,

    You would have to redirect on the 401 response. As long as the connection
    with IIS is still held in cache (and it should be), this should work fine.
    (I haven't tested it, so don't hold me to it.)

    It would look something like this:

    if (HttpResponse.Status == '401 ACCESS DENIED')
    {
    Response.Redirect('login.aspx');
    }

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.


    --------------------
     
    Jim Cheshire [MSFT], Nov 18, 2003
    #2
    1. Advertisements

  3. Dave

    Dave Guest

    Jim,

    Thanks for the response. I guess I'm not following
    where I would run the code you mentioned other than the
    global.asax.

    I have the following code in there now...

    protected void Application_AuthenticateRequest(Object
    sender, EventArgs e)
    {
    if ((Request.CurrentExecutionFilePath !
    = "/MyApp/Index.aspx") && (User.Identity.IsAuthenticated
    == false))
    {
    Response.Redirect("Index.aspx");
    }
    }

    This works on the first attempt to view a page other than
    index.aspx but when I try to click on a link that goes to
    a page secured by Basic Auth., the code above gets fired
    again and redirects me back to index.aspx. I don't have
    a chance to enter the login credentials.

    Dave.
     
    Dave, Nov 18, 2003
    #3
  4. Dave

    Guest Guest

    You can add the loginUrl property to the forms
    authentication section in your config file :

    <authentication mode="Forms">
    <forms loginUrl="Login.aspx" />
    </authentication>

    Whenever a user has no access to an area, they would be
    directly sent to the login page, and then automatically
    redirected to the area they initially wanted to visit if
    their security issues have been resolved by the new login
    process. This also bring up the url if the session has
    timed out(if you keep the roles in the session object).
    Alex
     
    Guest, Nov 19, 2003
    #4
  5. Dave,

    That's correct. There's no way around that. The way wininet
    authentication works is that if the resource you are requesting does not
    allow anonymous access, a 401 is sent back to the browser. If the resource
    is using Windows Integrated authentication and the browser is configured to
    automatically send credentials, the token is sent back and the user is
    authenticated. In the case of Basic authentication, a login prompt is
    displayed and the user must log in.

    If you intercept the 401 and redirect somewhere, you hijack the browser's
    ability to challenge. There is no way around that.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
     
    Jim Cheshire [MSFT], Nov 19, 2003
    #5
  6. Dave

    Dave Guest

    Thanks, but I'm talking about Windows authentication. Not
    forms.
     
    Dave, Nov 24, 2003
    #6
  7. Dave

    Dave Guest

    That's just it. I'm not sure where to trap that error.
    Initially I thought an HttpModule would be my only
    option, but I'm not even sure if the Http Request will
    get that far in the pipeline.

    The webserver may get intercept the request and return
    that error before I can do any type of redirect on the
    backend using asp.net.

    Dave.
     
    Dave, Nov 24, 2003
    #7
  8. Dave,

    You cannot catch this with ASP.NET. Our spec for ASP.NET 1.0/1.1 is that
    only 403, 404, and 500 errors are valid for customErrors. We have changed
    that for the next version of ASP.NET, and you should be able to do this in
    ASP.NET 2.0.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    <>
     
    Jim Cheshire [MSFT], Nov 24, 2003
    #8
  9. Dave

    Eric Larsen Guest

    Can you not redirect to a custom error page for 401 errors? I see you
    can redirect for the different 401 errors in IIS, but it does not seem
    to work for every case. It looks like the Error 401.3 is created by a
    ..NET process. Is there a way to bypass .NET catching the error?

    Thanks,
    Eric


     
    Eric Larsen, Dec 1, 2003
    #9
  10. Eric,

    No, you cannot. IIS handles that before ASP.NET has the opportunity in our
    current architecture.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    <>
    <014601c3ae0c$9ff59be0$>
    <>
     
    Jim Cheshire [MSFT], Dec 2, 2003
    #10
  11. Dave

    Eric Larsen Guest

    Jim

    Thanks for the response, but when I configure the Custom Errors for
    401;3 in IIS, I still get the the generic message instead of the file
    that I set it display. All the other 401 errors go to the file, so I
    can not figure out why IIS is not handling 401.3 the way it is setup
    for that HTTP Error.

    Thanks,
    Eric

     
    Eric Larsen, Dec 5, 2003
    #11
  12. Eric,

    I'm afraid I don't know about that. I specialize in ASP.NET. You should
    probably post in those groups.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    <>
    <014601c3ae0c$9ff59be0$>
    <>
    <028901c3b2ce$e20a2a70$>
    <>
     
    Jim Cheshire [MSFT], Dec 5, 2003
    #12
  13. Dave

    Eric Larsen Guest

    Jim

    I will post a message in a IIS group, but I think this is a ASP.NET
    problem. If I try and access a html file, the redirect works fine, it
    is only when I am trying to access an aspx file that I get the 401.3
    error page.

    Thanks,
    Eric

     
    Eric Larsen, Dec 10, 2003
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.