ASP.NET: disabling authentication for a single aspx page (custom error page)?

Question

I am using a custom error page in IIS 6:

<customErrors redirectMode="ResponseRedirect" mode="On" defaultRedirect="Error2.aspx"/>

I want to disable authentication for the custom error page because the error being raised is related to an authentication module and I don't want to get into an infinite loop and I want to display a clean error page to the user. I have been trying the following configuration to do that.

<location path="Error2.aspx">
 <system.web>
   <authentication mode="None"/>
   <authorization>
     <allow users="?"/>
     <allow users="*"/>
   </authorization>
 </system.web>
</location>

I am getting a System.Configuration.ConfigurationErrorsException for the line that sets the authentication mode.

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

I have verified that there are no other web.config files in subdirectories under the application's folder. The applications folder is configured as an application in IIS and the error page is at the application's root. File permissions set for the error page in IIS include anonymous and windows authentication (I have tried just anonymous as well).

Answer 1

Check out the following link . It has information that might help regarding the location tag.

<location path="404.aspx">
    <system.web>
       <authorization>
          <allow users="*" />
       </authorization>
    </system.web>
</location>

The easier approach would be to move all your error files and pages that you want to be always accessible to their own directory and then add a web.config file to the directory that grants unauthenticated access.

Answer 2

I changed my custom error redirect mode to rewriteResponse. By doing this, a separate request is not issued for the error page, the authentication module that is raising the error is not re-executed, etc.

I can imagine that this may not suffice in some scenarios (MVC framework perhaps?) but for my use case, it was sufficient.

For now, I am going to answer my own question with this workaround I came up with unless someone else can demonstrate a way to actually disable authentication as originally stated.

Answer 3

Open your IIS settings, and make sure that the root IIS (machine.config) allows writes to the offending property (either system.web.authentication or system.web.authorization, depending on the line number referenced in the error).

After that, clean your solution and rebuild. I had this problem, and it had nothing to do with machine.config or web.config settings. For some reason, doing a clean and rebuild made the error go away.