Access is Denied - 401.2: Unauthorized Error

https://stackoverflow.com/questions/20802673

22-09-2022
|

Question

I have an ASP.NET website hosted on IIS 7.5 as below:

I have "customwebsite.com" as the website and in it I have two Web Applications - uk & us - so that I can access these application as customwebsite.com/uk & customwebsite.com/us.

customwebsite.com directory does not have any web.config and have only two folders for web application us and uk.

Both us and uk web application have their individual web.config and have Form Authentication specified as below:

    <authentication mode="Forms">
      <forms loginUrl="/static/login.aspx" name="login" timeout="20"/>
    </authentication>

    <authorization>
      <deny users="?" />
    </authorization>

At this path: /static, there is a web.config with following content:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
</configuration>

When I hit the root URL for us application, the Website loads correctly but if I loads from uk, I got the error as below: enter image description here

I have checked the Folder Security, and all the required users have been granted permission and are same for both us and uk applications.

I have checked the IIS logs and below is the response codes of the request in case of failure: 401 0 0 1519 296

Can someone help me resolving this issue.

Solution

Got it resolved.

There was two more folders where the redirection of /static/login.aspx happens.

We need to allow access to all such redirecting folders by having a web.config files in those folders with below content:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
</configuration>

OTHER TIPS

Ran into this same error, but had a different resolution. In our case we had to set:

<machineKey compatibilityMode="Framework45" />

Details here: http://ardalis.com/asp-net-shared-authentication-problem-solved

In our case we had an error on the login page that redirected to the an error page that the user did not have rights to see, so it redirected to the login page... cycle rinse repeat.

We removed all the controls from the UI, then added them back one by one until the page crashed. Then we could narrow down the controls that had an error.

And yes, we gave all users access to the error page.

Check below IIS setting

Authorization Rules -must contain only allow user setting not any any other rule ex. deny user rule.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow