HTTP Error 401.2 - Unauthorized (for DefaultDocument)

Question

I am getting a 401.2 error on the default document in VS2013 (and IIS). Here are the steps I'm taking:

In VS2013, right click choose "New Project"
Choose "ASP.NET Web Application", click OK
Choose "Empty" project, Check "Web Forms" at the bottom and click OK
Right click on the project and choose "Add | Web Form" - named Default.aspx with "Authentication Succeeded" as the page content
Right click on the project and choose "Add | Web Form" - named Login.aspx
Add a "Login" as the page content
Assign an "Authentication" event handler that sets "e.Authenticated = true"
Update the web.config as listed below
Press F5

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <appSettings>
    <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authentication mode="Forms">
      <forms loginUrl="Login.aspx" />
    </authentication>
  </system.web>
  <system.webServer>
    <defaultDocument>
      <files>
        <clear />
        <add value="default.aspx" />
      </files>
    </defaultDocument>
    <security>
      <authorization>
        <remove users="*"/>
        <add accessType="Deny" users="?" />
        <add accessType="Allow" users="*"/>
      </authorization>
    </security>
  </system.webServer>
</configuration>

The behavior that I'm seeing is that http://localhost:12345/Default.aspx behaves correctly (always). In other words, when I first go to Default.aspx, it redirects me to the Login.aspx page. Once I've authenticated, I can see the Default.aspx page. If I logout and try to go to the Default.aspx page again it redirects me to login first.

However, when I got the / URL instead (no Default.aspx) I get a 401.2 error (even if I've authenticated 1st)?

The Default.aspx page is listed as a default document, and if I remove the "Deny" line from the Web.Config - then the default document behaves as expected. But when Deny ? is listed in the web config, suddenly the default document stops working and I have to go to /Default.aspx in order to avoid a 401.2 error.

Any suggests as to why this would behave like this?

I see no errors about any of this in the event log. I see the same behavior when using IISExpress (in VS by pressing F5) or with IIS when going to the public URL directly through a browser.

Thanks Daniel. I have changed the case to match - and that does not affect the result. :/ — eejai42, Feb 23 '15 at 18:30

score 2 · Accepted Answer · answered Feb 24 '15 at 16:14

2

I hesitate to offer this as an answer as I don't understand exactly why it worked for me. However it is too long for a comment and it might help you.

I found that adding the following to the System.Webserver section solved this problem:

<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"  />
</modules>

The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content. So I do not at this point know why it would have this effect. I stumbled on this trying to establish if FormsAuthentication module needed to be registered in the System.Webserver section.

answered Feb 24 '15 at 16:14

Daniel C

1,332
9
15

2

Yeah, by default, these modules only run for "managed" requests, like having `.aspx` in the URL and similar. The same applies to e.g. the `Session` etc. You can also use the `runAllManagedModulesForAllRequests` attribute to apply this to all the HTTP modules. – Luaan Feb 24 '15 at 16:44
2

@luaan but I am still in the dark as to why this affected the defaultdDocument i.e. '/' – Daniel C Feb 24 '15 at 16:53
Thanks - that's very interesting. At least this serves as a workaround. I'm also confused by this. Seems like the two things should not be related. I first ran into this problem on a site that also had the MVC pipeline registered, and I assumed that it was related to that - but when the problem occured even on a straight WebForms project, I switched back to being confused. – eejai42 Feb 24 '15 at 23:58
1

@DanielC That's because you're not *redirected* to `Default.aspx` - the request just goes to `Default.aspx` on the server. So the actual request URL, which is used to determine the modules and handlers to use, is just `/` instead of `/Default.aspx`. It's a bit of an oversight, to say the least. – Luaan Feb 25 '15 at 08:26

HTTP Error 401.2 - Unauthorized (for DefaultDocument)

1 Answers1