Alternate Header configured in onet.xml causes problem in reqacc.aspx page.

When you configure the alternate header in onet.xml and it has dynamic content then the unauthorized user may not able to access reqacc.aspx page.


One of the most common requirement is having a common header in all the SharePoint site pages. SharePoint allows to configure ONET.XML to achieve the common alternate header for every page by configuring the AlternateHeader attribute.

 

ONET.XML

https://msdn.microsoft.com/library/default.asp?url=/library/en-us/spptsdk/html/tscamlovONET_SV01084510.asp

 

Every aspx file in the <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\LAYOUTS\1033 folder has the following code to execute the Alternate Header page.

 

<%

string alternateHeader = SPControl.GetContextWeb(Context).AlternateHeader;

if (alternateHeader == null || alternateHeader == "")

{

%>

<TR>

            ……

            ……

</TR>

<%

}

else

{

    Server.Execute(alternateHeader);

}

%>

 

When an unauthorized user accesses a site, he will be redirected to reqacc.aspx page to send request to the site owner. The reqacc.aspx page is stored in the <system drive>:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\LAYOUTS\1033 folder and it does the same alternate header check. If the unauthorized user does not have permission to execute (in almost every scenario) the alternate header page, then SharePoint IIS will log 401 unauthorized error messages and SharePoint continuously pops up the login window for credentials.

 

To avoid this issue, we can remove the alternate header check code from the reqacc.aspx page. Remove the following lines from the reqacc.aspx page

 

<%

string alternateHeader = SPControl.GetContextWeb(Context).AlternateHeader;

if (alternateHeader == null || alternateHeader == "")

{

%>

 

<%

}

else

{

    Server.Execute(alternateHeader);

}

%>

 

Note: however modifying default SharePoint aspx files is not supported by Microsoft.

 

But the story does not end here, still we have another issue. After we removed the alternate header check code from the reqacc.aspx page, the unauthorized user will be able to see the reqacc.aspx page and able to send request to the site owner. However, he will not be able to see the confirmation page and he will get reqacc.aspx page repeatedly.