Friday, January 13, 2017

Unable to redirect a HTTP Error 404.0 - Not Found page to a custom page on IIS 7.0

A client recently reached out to me to assist with a requirement that was requested after receiving a penetration test from an external vendor for their older Windows Server 2008 R1 Citrix XenApp 6.5 environment where when attempting to navigate to a page that did not exist, the browser would display a HTTP Error 404.0 – Not Found page that reveals the IIS version along with some other details of the web server:

image

What the client wanted to do was simply redirect the page to a custom page that did not reveal any information about the server.  To do this, he placed a 404-Copy.htm page in the C:\Inetpub\wwwroot\Citrix directory:

image

… then redirecting the page via the following field in the 404 Custom Error Page:

/Citrix/404-Copy.htm

image

image

The problem with the configuration above is that the user would now be presented with the following HTTP Error 500.19 – Internal Server Error page with the message:

Absolute physical path "C:\inetpub\custerr\" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

image

Searching for this error brought me to the following Microsoft blog post:

Custom Error Pages – HTTP Error 500.19 – Internal Server Error
https://blogs.msdn.microsoft.com/benjaminperkins/2012/05/02/custom-error-pages-http-error-500-19-internal-server-error/

Which suggested to used the Configuration Editor to configure the allowAbsolutePathsWhenDelegated to true but this option was not available in the IIS administration console:

image

The following is from another server with IIS 7.5 on Windows Server 2012 that has the Configuration Editor available:

image

After trying to find another way to set the variable but unable to find a way to, I found that we could get around this by simply place the 404-Copy.htm page in the root directory C:\Inetpub\wwwroot:

image

Then referencing the page via the path:

/Citrix/404-Copy.htm

image

image

Providing us with the result that we wanted:

image

Another method which is not preferred is to completely remove the 404 error page as such:

image

Which would result in the following page displayed:

image

Troubleshooting this issue on this older Windows 2008 R1 server was a but of a nuance so I hope this post would save someone else a bit of time.

No comments: