http://forums.asp.net/t/1605694.aspx/1?Possible+holes+in+Scottgu+s+solution+Thu, 23 Sep 2010 17:40:21 -040016056944094712http://forums.asp.net/p/1605694/4094712.aspx/1?Possible+holes+in+Scottgu+s+solution+ <p>..</p> 2010-09-23T13:22:57-04:004094765http://forums.asp.net/p/1605694/4094765.aspx/1?Re+what+about+forms+authentication+and+401+2+Access+is+denied+error+not+going+to+custom+error+page <p>Hi,</p> <p>check the following url,</p> <p>http://thedailyreviewer.com/server/view/access-is-denied-4012-error-109319187</p> <p>http://www.eggheadcafe.com/software/aspnet/31015921/basic-authentication-fails-with-error-4012-where-integrated-succe.aspx</p> <p><br> </p> <p><br> </p> <p><br> </p> 2010-09-23T13:43:13-04:004094988http://forums.asp.net/p/1605694/4094988.aspx/1?Re+what+about+forms+authentication+and+401+2+Access+is+denied+error+not+going+to+custom+error+page <p><br> </p> <p></p> <blockquote><span class="icon-blockquote"></span> <h4>gopalanmani</h4> <p></p> <p>Hi,</p> <p>check the following url,</p> <p>http://thedailyreviewer.com/server/view/access-is-denied-4012-error-109319187</p> <p>http://www.eggheadcafe.com/software/aspnet/31015921/basic-authentication-fails-with-error-4012-where-integrated-succe.aspx</p> <p><br> </p> <p></p> </blockquote> <p></p> <p></p> &lt;div style=&quot;color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: #ffffff; margin: 8px;&quot; mce_style=&quot;color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: #ffffff; margin: 8px;&quot;&gt; <p>right, so with iis settings of 'forms authentication' enabled (and set in asp.net web config), the IIS setting kicks in and throws 401 response when the user intentionally does not log in after being prompted... At the IIS level. But, does this pertain whatsoever to the current bug? as in, should we redirect IIS 401 errors as well? (as in redirect both asp.net errors, and IIS errors to the error page?- and obviously give anonymous users access to that page?</p> <p>I'm sorry I'm not really that familiar with IIS, so I'm basically wondering -&gt; if forms authentication is used, is the 401 error described above handled by some HTTP Module, or ISAPI filter before it gets to the ASP.NET handlers - I have to assume so, because i am not catching any exception in the global.asax error handler. So I'm guessing that this situation is safe in respect to the padding oracle issue.</p> <p>However, has anyone tried the second issue in the post- rewriting the error URL to get 404 with an error page set?</p> <p>Am I missing something?</p> &lt;/div&gt; 2010-09-23T15:34:58-04:004095002http://forums.asp.net/p/1605694/4095002.aspx/1?Re+what+about+forms+authentication+and+401+2+Access+is+denied+error+not+going+to+custom+error+page <p>If IIS returns your error then it is not a problem. It is only errors in asp.net.</p> <p>IIS error pages look different to the yellow screen error that asp.net produces.<br> </p> 2010-09-23T15:38:48-04:004095180http://forums.asp.net/p/1605694/4095180.aspx/1?Re+what+about+forms+authentication+and+401+2+Access+is+denied+error+not+going+to+custom+error+page <p>..</p> 2010-09-23T17:40:21-04:00