This is expected behavior. There are 2 phases when a user accesses a protected resource:
- Authentication – validating of a user credentials against a user repository
- Authorization – checking that a user has permissions to access a resource.
When the user authentication failed a server requires to perform the authentication once again. In the case for the Form Authentication a user see the login page once again. When the user authorization is failed a server shows authorization error page (generally it is HTTP 403 error). It is possible to customize the error page.