I am using asp.net 3.5 web.config to limit access and it works great.
<authentication mode="Windows">
<authorization>
<allow users="Bill, John"/>
<deny users="*"/>
</authorization>
Unauthorized (but authenticated) users will be blocked by a system error message saying that:
Server Error in '/' Application
Access is denied.
Description: An error occurred while .......
Error message 401.2: Unauthorized: Logon failed due to server configuration ...
In order to make the message more friendly, I uncomment the customErrors flag and create a GenericErrorPage.htm in the root path of my project.
<customErrors mode="On" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
However, it just doesn't work. I still get the system error message rather than my custom error page.
Any suggestions will be appreciated.
You won't see it - custom error pages are served by the ASP.NET application, but Windows auth is served up by IIS itself.
Now you can set IIS to use different error pages. For IIS7 this needs a separate configuration section;
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Auto">
<error statusCode="403"
subStatusCode="-1"
prefixLanguageFilePath=""
path="C:\inetpub\wwwroot\errors\403.htm"
responseMode="File" />
</httpErrors>
</system.webServer>
And you'll need to ensure the app pool user has access to that path.