right, so with iis settings of 'forms authentication' enabled (and set in asp.net web config), the IIS setting kicks in and throws 401 response when the user intentionally does not log in after being prompted... At the IIS level. But, does this pertain whatsoever
to the current bug? as in, should we redirect IIS 401 errors as well? (as in redirect both asp.net errors, and IIS errors to the error page?- and obviously give anonymous users access to that page?
I'm sorry I'm not really that familiar with IIS, so I'm basically wondering -> if forms authentication is used, is the 401 error described above handled by some HTTP Module, or ISAPI filter before it gets to the ASP.NET handlers - I have to assume so, because
i am not catching any exception in the global.asax error handler. So I'm guessing that this situation is safe in respect to the padding oracle issue.
However, has anyone tried the second issue in the post- rewriting the error URL to get 404 with an error page set?
scott.fulfor...
Member
13 Points
8 Posts
Possible holes in Scottgu's solution-?
Sep 23, 2010 01:22 PM|LINK
..
gopalanmani
Star
7826 Points
1320 Posts
Re: what about forms authentication and 401.2 Access is denied error not going to custom error pa...
Sep 23, 2010 01:43 PM|LINK
Hi,
check the following url,
http://thedailyreviewer.com/server/view/access-is-denied-4012-error-109319187
http://www.eggheadcafe.com/software/aspnet/31015921/basic-authentication-fails-with-error-4012-where-integrated-succe.aspx
Gopalan Mani
My Tech blog
scott.fulfor...
Member
13 Points
8 Posts
Re: what about forms authentication and 401.2 Access is denied error not going to custom error pa...
Sep 23, 2010 03:34 PM|LINK
<div style="color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: #ffffff; margin: 8px;" mce_style="color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: #ffffff; margin: 8px;">right, so with iis settings of 'forms authentication' enabled (and set in asp.net web config), the IIS setting kicks in and throws 401 response when the user intentionally does not log in after being prompted... At the IIS level. But, does this pertain whatsoever to the current bug? as in, should we redirect IIS 401 errors as well? (as in redirect both asp.net errors, and IIS errors to the error page?- and obviously give anonymous users access to that page?
I'm sorry I'm not really that familiar with IIS, so I'm basically wondering -> if forms authentication is used, is the 401 error described above handled by some HTTP Module, or ISAPI filter before it gets to the ASP.NET handlers - I have to assume so, because i am not catching any exception in the global.asax error handler. So I'm guessing that this situation is safe in respect to the padding oracle issue.
However, has anyone tried the second issue in the post- rewriting the error URL to get 404 with an error page set?
Am I missing something?
</div>Rovastar
Member
182 Points
59 Posts
Re: what about forms authentication and 401.2 Access is denied error not going to custom error pa...
Sep 23, 2010 03:38 PM|LINK
If IIS returns your error then it is not a problem. It is only errors in asp.net.
IIS error pages look different to the yellow screen error that asp.net produces.
scott.fulfor...
Member
13 Points
8 Posts
Re: what about forms authentication and 401.2 Access is denied error not going to custom error pa...
Sep 23, 2010 05:40 PM|LINK
..