Handling IIS Error pages in Sitecore

Sitecore lets you direct errors, such as page not found, to other pages within Sitecore. This is good – it lets you have an error page with all your dynamic content (navigation menus, account details, etc).

You can patch this in with something like:

<?xml version="1.0"?>
<configuration xmlns:x="http://www.sitecore.net/xmlconfig/">
<!-- Default: /sitecore/service/notfound.aspx -->
<setting name="ItemNotFoundUrl">
<x:attribute name="value" value="/errors/Item Not Found" />
<!-- Default: /sitecore/service/nolayout.aspx -->
<setting name="LayoutNotFoundUrl">
<x:attribute name="value" value="/errors/Item Not Found" />
<!-- Default: /sitecore/service/notfound.aspx -->
<setting name="LinkItemNotFoundUrl">
<x:attribute name="value" value="/errors/Item Not Found" />
<!-- Default: /sitecore/service/noaccess.aspx -->
<setting name="NoAccessUrl">
<x:attribute name="value" value="/errors/No Access" />
<!-- Default: /sitecore/service/error.aspx -->
<setting name="ErrorPage">
<x:attribute name="value" value="/errors/Error" />

Great, job done, right?


What happens if a user’s request doesn’t even reach Sitecore? What if IIS itself throws a HTTP 500 error, or if a request isn’t even routed to Sitecore? Well, you’ll receive the error page defined by IIS, or possibly web.config.

(Side note – It’s easy to see this on a vanilla Sitecore instance. Trying going to your Sitecore site, then type into the url /asdf.asdf . This is a request for a file with the extension .asdf and so doesn’t get routed to Sitecore. It also doesn’t exist, so IIS sends your to a 404 page – but not your nice dynamic page in Sitecore. )

Fine, well what if I want to handle those, too?

First, create static copies of your error pages that don’t rely on Sitecore. If Sitecore has died, your error page cannot contain dynamic Sitecore content. Here is an example – note that there is no dynamic top navigation, no user details in the top right…

Even the image on the page is served statically. Fine. What about the file type? I tend to use .aspx pages (non-Sitecore ones) so I can include the following inline code:

Response.Status = "404 Page Not Found";
Response.StatusCode = 404;

This lets us send the correct HTTP status code. That can removed a lot of false positives during automated penetration testing.

How do we configure to use these pages? Well, you need to put the following in your web.config under <system.webserver> …

<httpErrors errorMode="Custom">
<error statusCode="500" prefixLanguageFilePath="" path="/static/500.aspx" responseMode="ExecuteURL" />
<error statusCode="404" prefixLanguageFilePath="" path="/static/404.aspx" responseMode="ExecuteURL" />
<error statusCode="403" prefixLanguageFilePath="" path="/static/403.aspx" responseMode="ExecuteURL" />
<error statusCode="401" prefixLanguageFilePath="" path="/static/401.aspx" responseMode="ExecuteURL" />

Right, this tells IIS what pages to use for those errors outside of Sitecore. Note, some of our projects actually use a responseMode of “Redirect”, and you can use “File” if you’re using a truly static error page (e.g. a .html file) .

Don’t forget to set your CustomErrors setting, but that should be about it…

… except if you’ve a multi-tenanted Sitecore system. Let’s say your Sitecore system supports 2 different websites, and they should have 2 different IIS 404 error pages. How do you achieve that?

Short answer – UrlRewriting rules. Set your error page settings as above, but then using a rewrite from, say /500.aspx to /errorpages/myfirsttenant/500.aspx, matching on the domain name of the request.

<rule name="Redirect Error Page to Tenant Site Error Page" stopProcessing="true">
<match url="500.aspx" />
<add input="{HTTP_HOST}" pattern="(www\.)?(myfirsttenant)\.(.+)" />
<action type="Rewrite" url="/ErrorPages/myfirsttenant/500.aspx" appendQueryString="false" redirectType="Permanent" />

Repeat this for each error, and repeat all of them for each tenant…

You’ll probably also have to use a responseMode of “Redirect” as mentioned above.



Handling IIS Error pages in Sitecore

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.