My website is using forms authentication. I have this in the root
(with some changes for security purposes):
<forms loginUrl="~/Login/Default.aspx" name=".MyAuthCookie"
protection="All" path="/" timeout="30" />
This works great: when an unauthenticated user tries to access the site, he is directed to the login page.
I have several folders that are restricted using their own very short
files, like this:
<allow roles="Administrator, Executive"/>
<allow users="User1, User2"/>
This also works great: when someone other than an allowed user or role tries to access a file in the folder, they are denied.
is that IIS treats the denied user as if he was unauthenticated, and redirects him to the login page. The behavior I want is to recognize that he is authenticated, just not authorized, and redirect him to a page that says "Permission denied."
I have custom errors enabled, and the 401 status is redirected to a page called "NoPermission.aspx". Unfortunately, it is not being caught.