I'm working my ASP.NET MVC 2 project. I create exception filter for catching unauthorized access exception that occur when user does not has permission to view some action.

[CustomError(typeof(UnauthorizedAccessException), "Error", "UnauthorizedAccess")]
public class MyController : BaseController
{
}

After exception has been thrown, my filter will transfer to configured controller/action that is the following method.

public ActionResult UnauthorizedAccess(ExceptionContext context)
{
    Response.StatusCode = CustomHttpStatusCode.UnauthorizedUser;

    return View(model);
}

Finally, before ASP.NET application end this request, it will call the following method that located in Global.ascx for changing custom HTTP status code to HTTP status 401(unauthorized access).

public void Application_EndRequest(object sender, EventArgs e)
{
    if (Response.StatusCode == CustomHttpStatusCode.UnauthorizedUser)
    {
        Response.StatusCode = 401;
    }
}

Everything is work fine on my machine (IIS 7.5). But it does not work on my deploy website. It still return plain text "You do not have permission to view this directory or page." instead of my custom error page.

PS. The following config is my current web.config for this case.

  <?xml version="1.0" encoding="UTF-8"?>
  <configuration>
    <system.web>
      <customErrors mode="On"></customErrors>
    </system.web>
    <system.webServer>
      <httpErrors errorMode="Custom">
         <remove statusCode="502" subStatusCode="-1" />
         <remove statusCode="501" subStatusCode="-1" />
         <remove statusCode="500" subStatusCode="-1" />
         <remove statusCode="412" subStatusCode="-1" />
         <remove statusCode="406" subStatusCode="-1" />
         <remove statusCode="405" subStatusCode="-1" />
         <remove statusCode="404" subStatusCode="-1" />
         <remove statusCode="403" subStatusCode="-1" />
         <remove statusCode="401" subStatusCode="-1" />
      </httpErrors>
    </system.webServer>
  </configuration>

You can pass through IIS7 default error messages in two ways

One is to set response.TrySkipIisCustomErrors to be true

response.TrySkipIisCustomErrors = true;
response.Status = response.Status;

For some reason, TrySkipIisCustomErrors is not honoured if you don't set response.Status.

The other is to set existingResponse to "PassThrough" in web.config

<configuration>
  <system.webServer>
    <httpErrors existingResponse="PassThrough" />
  </system.webServer>
</configuration>

But this will ignore all set IIS custom error pages.

I just found easy solution for this problem. I just add new setting in to web.config file like the following code. Everything works fine on my deployment website.

  <?xml version="1.0" encoding="utf-8"?>
  <configuration> 
    <system.webServer>
      <httpErrors errorMode="Custom" existingResponse="PassThrough">
          <remove statusCode="502" subStatusCode="-1" />
          <remove statusCode="501" subStatusCode="-1" />
          <remove statusCode="500" subStatusCode="-1" />
          <remove statusCode="412" subStatusCode="-1" />
          <remove statusCode="406" subStatusCode="-1" />
          <remove statusCode="405" subStatusCode="-1" />
          <remove statusCode="404" subStatusCode="-1" />
          <remove statusCode="403" subStatusCode="-1" />
          <remove statusCode="401" subStatusCode="-1" />
      </httpErrors>
    </system.webServer>
  </configuration>

So I can create custom error page both in plain text and JSON response too.

For more information: HttpErrorsSection Class

PS. But I cannot found existingResponse attribute in Error Pages feature of IIS manager.