tags:

views:

265

answers:

3
+1  Q: 

ASP.NET: disabling authentication for a single aspx page (custom error page)?

I am using a custom error page in IIS 6:

<customErrors redirectMode="ResponseRedirect" mode="On" defaultRedirect="Error2.aspx"/>

I want to disable authentication for the custom error page because the error being raised is related to an authentication module and I don't want to get into an infinite loop and I want to display a clean error page to the user. I have been trying the following configuration to do that.

<location path="Error2.aspx">
 <system.web>
   <authentication mode="None"/>
   <authorization>
     <allow users="?"/>
     <allow users="*"/>
   </authorization>
 </system.web>
</location>

I am getting a System.Configuration.ConfigurationErrorsException for the line that sets the authentication mode.

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

I have verified that there are no other web.config files in subdirectories under the application's folder. The applications folder is configured as an application in IIS and the error page is at the application's root. File permissions set for the error page in IIS include anonymous and windows authentication (I have tried just anonymous as well).

A: 

Open your IIS settings, and make sure that the root IIS (machine.config) allows writes to the offending property (either system.web.authentication or system.web.authorization, depending on the line number referenced in the error).

After that, clean your solution and rebuild. I had this problem, and it had nothing to do with machine.config or web.config settings. For some reason, doing a clean and rebuild made the error go away.

Jarrett Meyer  2010-03-29 19:58:12
Sorry, no luck. The allowDefinition in the machine.config is set to MachineToApplication, the default. This means setting the value in the web.config at the root of the application should be fine, which is where I am setting the value.
Richard Collette  2010-03-29 20:16:52
A: 

Check out the following link. It has information that might help regarding the location tag.

<location path="404.aspx">
    <system.web>
       <authorization>
          <allow users="*" />
       </authorization>
    </system.web>
</location>

The easier approach would be to move all your error files and pages that you want to be always accessible to their own directory and then add a web.config file to the directory that grants unauthenticated access.

Kelsey  2010-03-29 20:13:15
It's not quite that simple. The error is thrown in the PostAquireRequestState of a module. This results in a redirect to Error2.aspx, but the PostAquireRequestState of the module is again called. Application.Context.SkipAuthorization is set to false when loading the error page (even with allow users=*). Since a new page is being requested by a redirect, Application.Server.getLastError() is nothing. The code continues to where it threw the error in the first place and therefore the error page does not display. Checking if the request is the error page might work but I suspect caveats.
Richard Collette  2010-03-29 20:49:25
A: 

I changed my custom error redirect mode to rewriteResponse. By doing this, a separate request is not issued for the error page, the authentication module that is raising the error is not re-executed, etc.

I can imagine that this may not suffice in some scenarios (MVC framework perhaps?) but for my use case, it was sufficient.

For now, I am going to answer my own question with this workaround I came up with unless someone else can demonstrate a way to actually disable authentication as originally stated.

Richard Collette  2010-03-31 19:53:44

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?