HTTP Error 401.2 - Unauthorized (for DefaultDocument)

0
votes

I am getting a 401.2 error on the default document in VS2013 (and IIS). Here are the steps I'm taking:

  1. In VS2013, right click choose "New Project"
  2. Choose "ASP.NET Web Application", click OK
  3. Choose "Empty" project, Check "Web Forms" at the bottom and click OK
  4. Right click on the project and choose "Add | Web Form" - named Default.aspx with "Authentication Succeeded" as the page content
  5. Right click on the project and choose "Add | Web Form" - named Login.aspx
  6. Add a "Login" as the page content
  7. Assign an "Authentication" event handler that sets "e.Authenticated = true"
  8. Update the web.config as listed below
  9. Press F5

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <appSettings>
    <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authentication mode="Forms">
      <forms loginUrl="Login.aspx" />
    </authentication>
  </system.web>
  <system.webServer>
    <defaultDocument>
      <files>
        <clear />
        <add value="default.aspx" />
      </files>
    </defaultDocument>
    <security>
      <authorization>
        <remove users="*"/>
        <add accessType="Deny" users="?" />
        <add accessType="Allow" users="*"/>
      </authorization>
    </security>
  </system.webServer>
</configuration>

The behavior that I'm seeing is that http://localhost:12345/Default.aspx behaves correctly (always). In other words, when I first go to Default.aspx, it redirects me to the Login.aspx page. Once I've authenticated, I can see the Default.aspx page. If I logout and try to go to the Default.aspx page again it redirects me to login first.

However, when I got the / URL instead (no Default.aspx) I get a 401.2 error (even if I've authenticated 1st)?

The Default.aspx page is listed as a default document, and if I remove the "Deny" line from the Web.Config - then the default document behaves as expected. But when Deny ? is listed in the web config, suddenly the default document stops working and I have to go to /Default.aspx in order to avoid a 401.2 error.

Any suggests as to why this would behave like this?

I see no errors about any of this in the event log. I see the same behavior when using IISExpress (in VS by pressing F5) or with IIS when going to the public URL directly through a browser.

1
c#asp.netvisual-studio-2013iis-8default-document
I think defaultDocument filenames are case sensitiveDaniel C
Thanks Daniel. I have changed the case to match - and that does not affect the result. :/eejai42

1 Answers

2
votes

I hesitate to offer this as an answer as I don't understand exactly why it worked for me. However it is too long for a comment and it might help you.

I found that adding the following to the System.Webserver section solved this problem:

<modules>
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"  />
</modules>

The key seems to be to remove the managedHandler Precondition from the FormsAuthentication module. As I understand it this is only supposed to optimize serving of static content. So I do not at this point know why it would have this effect. I stumbled on this trying to establish if FormsAuthentication module needed to be registered in the System.Webserver section.