Develop Reference

IIS ASP.NET - URL Rewrite - FormsAuthentication module fires before RewriteModule module

I have one site and 3 applications in 3 virtual folders and 3 app pools.
I use URL rewrite (redirect or rewrite doesn't matter) to catch some wrong urls and rewrite or redirect to appropriate application.
All 3 apps are asp.net MVC and use Forms Auth.
They must use sepparate app pools.
If I use rewrite I have an error that URL can't be served from same app pool, so rewriting doesn't work across app pools, that is a known issue.
If I use redirect there is a problem that before I can issue a redirect from URL rewrite FormsAuth sends redirect for login.
This is scenario where I am already logged in in app1, but I want to redirect from app2 and app2 has no session yet and it redirects me to login of app2 instead that I get URErewrite/redirect to URL in app1.
Can this be overridden ?
So that URL Rewrite redirect is not surpassed with FormsAuth redirect.
I tried to put RewriteModule in front of FormsAuthentication module in main applicationHost.config (C:\Windows\System32\inetsrv\Config) but it doesn't work :
<modules>
<add name="IsapiModule" lockItem="true" />
<add name="IsapiFilterModule" lockItem="true" />
<add name="HttpLoggingModule" lockItem="true" />
<add name="HttpCacheModule" lockItem="true" />
<add name="StaticCompressionModule" lockItem="true" />
<add name="DefaultDocumentModule" lockItem="true" />
<add name="DirectoryListingModule" lockItem="true" />
<add name="ProtocolSupportModule" lockItem="true" />
<add name="HttpRedirectionModule" lockItem="true" />
<add name="StaticFileModule" lockItem="true" />
<add name="AnonymousAuthenticationModule" lockItem="true" />
<add name="WindowsAuthenticationModule" lockItem="true" />
<add name="RequestFilteringModule" lockItem="true" />
<add name="CustomErrorModule" lockItem="true" />
<add name="FailedRequestsTracingModule" lockItem="true" />
<add name="ConfigurationValidationModule" lockItem="true" />
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" preCondition="managedHandler" />
<add name="RewriteModule" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" preCondition="managedHandler" />
<add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="managedHandler" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" preCondition="managedHandler" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />
<add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" preCondition="managedHandler" />
<add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" preCondition="managedHandler" />
<add name="Profile" type="System.Web.Profile.ProfileModule" preCondition="managedHandler" />
<add name="UrlMappingsModule" type="System.Web.UrlMappingsModule" preCondition="managedHandler" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="managedHandler,runtimeVersionv4.0" />
<add name="ScriptModule-4.0" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler,runtimeVersionv4.0" />
<add name="ApplicationRequestRouting" />
</modules>
</system.webServer>
UPDATE ::::::::::::::::::
I didn't find out a way to overide FormsAuth so I went the ARR route.
I have 4 sites (no more one site and 3 apps/virtualFolders) :
*_ARR site listens to real ip and virtual host, it is empty , it only has URL rewrite rules, so it is guaranteed that URL rewrites are executed before everithing, the problem of Rewriting to another APP pool is solved by ARR reverse proxy, URL Rewrice at the end causes local reconnection ala reverse proxy, there aro no server farms configured in ARR, only one checkbox (enable proxy).
Other three sites keep 3 versions of app.
There is a file that keeps a record which version is the last installed.
There is a cookie issued for affinity to site/version of app.
All that is handled in custom URL revrite provider.
Cookies with this solution :
Cookie basicaly has the port writen inside. So URL rewrite sends the user to correct version.
And new logons go to newest version, allready logged in user stays at his current version, and finnaly it works as it needs to work.
All this because as I said before , objects in our Session can't be serialized.
And for existing loggins there is no performance hit in starting up site.

UserManager and organizational accounts - cannot connect to the database ( mvc 5)

Got the following problem:
I've created simple mvc 5 project with individual user accounts authentication.
Everything works i can add users,roles,everything is stored in the database - all seems to be fine. Now i want to change authetication to organisational:
<system.webServer>
<modules>
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="myUrl" />
</audienceUris>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<add type="System.IdentityModel.Tokens.SamlSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<samlSecurityTokenRequirement>
<nameClaimType value="myClaim"/>
</samlSecurityTokenRequirement>
</add>
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="mySts">
<keys>
<add thumbprint="myThumb" />
</keys>
<validIssuers>
<add name="mySts" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="mySTs" realm="myUrl" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
It works - i can authenticate,but when i want to add new user (based on User.Identity.Name to my existing database:
UserManager.CreateAsync(user);
I get weird error:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 50 - Local Database Runtime error occurred. Cannot create an automatic instance. See the Windows Application event log for error details.)
although i didn't change anything in connection,dbcontext and so on.
What could be a reason of such behavior?

Something seems to be missed in your web.config file. Try to add connectionStrings to your web.config by editing the code below according to your database and connection properties:
web.config:
<configuration>
<add name="DefaultConnection" providerName="System.Data.SqlClient" connectionString="Data Source=(localdb)\v11.0;
Initial Catalog=aspnet-YourDatabaseName; Integrated Security=SSPI; AttachDBFilename=|DataDirectory|\aspnet-YourDatabaseName.mdf" />

Issue: creating AD FS claims aware application in Visual Studio 2013

I am new to trying to use AD FS and I have been running in circles.
Trying to make a claims aware application
The organization handles its own authentication
I have gotten my test application to verify authentication but it seems wrong.
Create new application in Visual Studio
Choose Web -> Visual Studio
Choose .Net Framework 4.5
Select ASP.Net MVC 4 Web Application
Add Reference to System.Identity
Add Reference to System.Identity.Services
Edit my web.Config file
in the configsection -- add the following
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
then add
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="https://fedtest.xxxxxxxx.com/FederationMetadata/2007-06/FederationMetadata.xml" />
<add key="ida:Realm" value="https://myappNameHere.xxxxxx.com" />
<add key="ida:AudienceUri" value="http://myappNameHere.xxxxxxx.com" />
<add key="loginUrl" value="~/Home" />
</appSettings>
Then add
<location path="Home">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Logout.html">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Then add
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
</system.web>
Then add
<identityConfiguration>
<audienceUris>
<add value="http://myappName.xxxxxx.com/" />
</audienceUris>`
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://fedtest.xxxxxxx.com/adfs/services/trust">
<keys>
<add thumbprint="12345567890asdasfsdgdfhdfgjdf123124" />
</keys>
<validIssuers>
<add name="http://fedtest.xxxxxxxx.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<securityTokenHandlers>
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true"
issuer="https://fedtest.xxxxxxxxx.com/adfs/ls/"
realm="https://myappName.xxxxxxxx.com/"
reply="https://myappName.xxxxxxxxx.com/"
requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
Why do I think all this is wrong?? Well I got all those lines of web.config from the following steps...
go back to step 5 and do the following
Under Tempalte click web
chose the only option --- ASP.NET Web Application
Wizard comes up and click the 'change Authentication'
Choose Organizational accounts
change drop down to 'On Premises'
fill out 'On-Premises Authority'
Fill out 'App ID URI'
Look at web.config
But using the application that those steps produce will create a redirect loop that I have never been able to trouble shoot.
So -- suggestions on what I am doing wrong. It can't be considered right to generate the web.config in a standard way and paste it into a previous version to get it to work.

Refer: Use the On-Premises Organizational Authentication Option (ADFS) With ASP.NET in Visual Studio 2013.
In terms of the redirect loop. the usual reason is that for your ADFS RP, you configured the endpoint without a trailing slash.
Add the missing "/" and ensure it matches the string in your web.config.

Enable SSL in your application and set the SSL URL as the default in your web properties.

Okay -- what the answer ended up being...
1) I started down this route because i kept getting a redirect loop that I thought was caused by the web.config.
It wasn't the web.config.
2) So create the the application as you are supposed to in VS 13 -- namely go to c# -> web -> and then click the ASP.NET Web Application and set up the on premise authentication
3) My redirect loop was caused by multiple LDAP claims bundled together coming from AD FS
4) Sent my claims one rule at a time and worked like magic.
If anyone can shed light as to why this should be true I am curious.

How to stop Elmah logging?

I am using Elmah.MVC 2 with MVC3, ASP.NET 4.5 on Azure Websites.
I have set it up to log, via the web.config, to XML files on the webserver. This all works. However I want to stop it temporarily, as I believe it may be slowing the web server, since it is taking up time writing these error files. I plan to log to SQL Server. But for now I need to stop Elmah.
My Web.config Elmah sections are :
<sectionGroup name="elmah">
<section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
<section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
<section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
<section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
</sectionGroup>
and
<add key="elmah.mvc.disableHandler" value="true" />
<add key="elmah.mvc.disableHandleErrorFilter" value="false" />
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.IgnoreDefaultRoute" value="false" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
<add key="elmah.mvc.allowedUsers" value="Admin" />
<add key="elmah.mvc.route" value="elmah" />
and
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
</httpModules>
and
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
and
<elmah>
<security allowRemoteAccess="yes" />
<errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="myDatabaseCS" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/App_Data" />
</elmah>
</configuration>
I thought this line stopped it:
<add key="elmah.mvc.disableHandler" value="true" />
But alas not. However I cannot get to the Elmah page ie /Elmah just returns me to the login page.
How can I stop Elmah logging?
Thanks.
EDIT 1:
it may be to do with this in Global.asa:
//filters.Add(new ElmahHandledErrorLoggerFilter());
filters.Add(new HandleErrorAttribute());
THe first line is commented out as I do not believe it is required in V2. All error handling is now merged with Elmah I believe.

Just remove the <errorLog> elements from your <elmah> section. Or comment it out. This will disable the logging functionality, and all you have to do to restore functionality when you want it is add those <errorLog> elements back in again. This way, you don't have to remove any of the core Elmah components that could lead to problems later on when you want to restore functionality, particularly if you miss something.

Just to note - removing <errorLog> from <elmah> in web.config does not stop the logging, it just reverts it to in-memory logging as described in this SO answer. (cannot comment on the accepted answer due to insufficient rep.)
If the intent is to stop logging entirely, you can use the Elmah's ErrorFilterModule (assuming that it is added in web.config) for that, like so (global.asax.cs excerpt):
protected void ErrorMail_Filtering(object sender, ExceptionFilterEventArgs e)
{
e.Dismiss();
}

Restrict image access, making them only accessible from within .NET web application

I have a .NET application which uses some images stored in a folder on a server. the folder does not belong to my application. The images in this folder are used as background images of some div within the application. I published the image folder to the web along with my application and so everything work fine. However, Is there a way to limit the access of the folder to my .net application or a setting that can be set so that the content of the folder is not browsable/searchable? Right now, my application uses a url like www.domain.com/iisfoldername/picture.png to set the background of divs. Similarly if you use such URL in a browser, an image will be served. Is it possible to prevent this URL from being served when it is not requested from my application? That is, if someone enters this url in the browser, the image is not displayed, but the image displays when my application requests it.
I know of setting a authentication for a folder. But How can I limit an http request to a user and then impersonate this user(if possible)?
'
EDIT
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
<appSettings>
<add key="webpages:Version" value="1.0.0.0" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
<add key="ida:FederationMetadataLocation" value="https:ccc.com/Federation.xml" />
<add key="ida:Issuer" value="https://ccc.com" />
<add key="ida:ProviderSelection" value="productionSTS" />
</appSettings>
<location path="Federation">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5" />
<!--Commented by Identity and Access VS Package-->
<!--<authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" /></authentication>-->
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" applicationName="/" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
</system.web>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="itextsharp" publicKeyToken="8354ae6d2174ddca" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.4.3.0" newVersion="5.4.3.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.SqlConnectionFactory, EntityFramework" />
</entityFramework>
<connectionStrings>
</connectionStrings>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>
</system.webServer>
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/App/" />
</audienceUris>
<!--Commented by Identity and Access VS Package-->
<!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="LocalSTS"><keys><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" /></keys><validIssuers><add name="LocalSTS" /></validIssuers></authority></issuerNameRegistry>-->
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://ccc.com">
<keys>
<add thumbprint="BA86062DD810B95F49FBF85F448507D63D15FB92" />
</keys>
<validIssuers>
<add name="http://ccc.com" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="true" />
<wsFederation passiveRedirectEnabled="true" issuer="https://ccc.com/" realm="https://localhost/App/" requireHttps="true" />
</federationConfiguration>
</system.identityModel.services>
</configuration>

Given your configuration, I believe your best option is to use URL rewriting. In this case, redirect users to a "fake" image if they are requesting images directly or as referred from some other website (but allowing access to them if referred from a page in your application).
To accomplish this, use Microsoft's IIS URL Rewrite extension, which you can download here:
http://www.iis.net/downloads/microsoft/url-rewrite
Once it is installed on your server, configure it by adding the following to your web.config (since you already have a system.webServer section in your web.config, just add the "rewrite" node into it). Note the inline comments and replacements required.
<system.webServer>
<rewrite>
<rules>
<rule name="Whitelist Image Access" stopProcessing="true">
<!-- Evaluated for all image file requests -->
<match url="(?:jpg|jpeg|png|gif|bmp)$" />
<conditions>
<!--
Rule applies when user tries to access URL directly (no referrer)
-->
<add input="{HTTP_REFERER}" matchType="Pattern" pattern="^$" ignoreCase="true" />
<!--
Rule does NOT apply when pages on our site are the referrer
*** NOTE: Replace "ccc" and "com" with appropriate parts form your domain ***
-->
<add input="{HTTP_REFERER}" matchType="Pattern" pattern="^https?://(.*\.)?ccc\.com/.*$" ignoreCase="true" negate="true" />
<!--
Rule does NOT apply when accessing the replacement image when real ones are refused
*** NOTE: replace "no_access.png" with the name of the "fake" image you want to use ***
-->
<add input="{REQUEST_FILENAME}" matchType="Pattern" pattern="no_access.png" ignoreCase="true" negate="true" />
</conditions>
<!--
Temporary redirect (status code 307) to "fake" image
*** NOTE: Replace the URL below with the "fake" image URL ***
-->
<action type="Redirect" url="http://ccc.com/images/no_access.png" appendQueryString="false" redirectType="Temporary" />
</rule>
</rules>
</rewrite>
</system.webServer>