Sample how to troubleshoot of EPiServer installation running windows integrated security (also known as Windows NT Challenge/Response authentication).
Protocol
C -> S GET ...
S -> C 401 Unauthorized
WWW-Authenticate: NTLM
C -> S GET ...
Authorization: NTLM TlRMTVNTUAABAAAAA7IAAAoACgApAAAACQAJACAAAABMSUdIVENJVFlVUlNBLU1JTk9S
S -> C 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAACgAAAABggAAU3J2Tm9uY2UAAAAAAAAAAA==
C -> S GET ...
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYABgAigAAABQAFABAAAAADAAMAFQAAAASABIAYAAAAAAAAACiAAAAAYIAAFUAUgBTAEEALQBNAEkATgBPAFIAWgBhAHAAaABvAGQATABJAEcASABUAEMASQBUAFkArYfKbe/jRoW5xDxHeoxC1gBmfWiS5+iX4OAN4xBKG/IFPwfH3agtPEia6YnhsADT
S -> C 200 Ok
A known bug in EPiServer VPPs (up to CMS version 6) makes that the VPP response with an “Unauthenticated exception” instead of a 401 as it should. To fix this you can force the IIS to not accept anonymous users.
Force login to the whole site
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
Force login to a virtual page provider
<location path="pages">
<system.web>
<authorization>
<allow roles="*" />
<deny users="?" />
</authorization>
If this can be done here is a minimal hack to transform the “Unauthenticated exception” to a HTTT status 401.
In global.asax.cs (only for windows integrated security)
void Application_Error(object sender, EventArgs e)
{
if (Context == null
|| Context.Error == null
|| Context.Error.InnerException == null)
{
return;
}
if (Context.Error.InnerException is AccessDeniedException
|| Context.Error.InnerException is UnauthorizedAccessException)
{
log4net.ILog _log = log4net.LogManager.GetLogger(typeof(Global));
if (_log.IsInfoEnabled)
{
_log.InfoFormat(
"The user {0} has not access to {1} sending HTTP status 401 instead of exception",
PrincipalInfo.CurrentPrincipal.Identity.Name,
Request.RawUrl);
}
Response.Buffer = true;
Response.StatusCode = 401;
Response.StatusDescription = "Unauthorized";
Response.AddHeader("WWW-Authenticate", "NTLM");
Response.End();
}
}