Why is IIS 7 showing me a default 403 page?

Question

I have setup an asp.net 4.0 site where if someone tries to access an authorized area they get redirected to a SignIn page and the status is set to 403.

On my local machine it redirects to the SignIn page with the 403 status. On IIS 7 I get a nasty 403 Forbidden page instead of the SignIn page.

How can I get it to work on IIS 7 like it does on my Local?

Answer 1

IIS has default pages for all the HTTP error codes. You can override these in IIS to redirect to your own page.

IIS also recognizes the ASP.NET tag in the web.config file and uses that first if it's available, so you will need to setup your custom errors tags as follows:

<customErrors defaultRedirect="defaultError.aspx" mode="On">
   <error statusCode="403" redirect="my403page.aspx"/>
</customErrors>

Hope this is what you're after. You can also use forms authentication in ASP.NET to achieve this, it uses cookies but works quite well with the scenario you described, unless you specifically need them to be redirected to a 403 page.

Answer 2

I would check to make sure the authentication settings in your web.config file are the same in both environments.

EDIT

You might also be running into a problem with the anonymous authentication identity. I've run into this issue myself when first moving a site to IIS7. MSDN has a page the runs through your possible options.

Answer 3

By "nasty" it sounds like you mean that IIS is throwing up its default 403 err message page. You could set the custom 403 error in IIS to redirect the user to your friendly signin page.

Not sure that's the best design, necessarily, but it probably would solve your problem based on how you've explained it...