SharePoint 2013: how to create a custom access denied page

Print

Introduction

Previously, in SharePoint 2010, when modifying the Access Denied page via PowerShell, you used the web application's UpdateMappedPage method.  Now, in SharePoint 2013, you use the Set-SPCustomLayoutsPage command.  The new approach greatly simplifies deploying such custom application pages.  This posting shows how to make an elementary modification to the AccessDenied,ASPX page, and then configure the web application to use that new page.

Procedure

1. Log into one of the farm WFEs as a farm administrator.
2. Open Windows Explorer, and then navigate to this folder:

   C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\

3. Add a subfolder to this folder, naming it CustomPages.
   
   Note that this is the physical path to the CustomPages folder. The relative path would be:

   [web app URL]/_layouts/15/custompages

4. In the LAYOUTS folder copy the file AccessDenied.ASPX into the CustomPages subfolder, renaming it AccessDeniedNew.ASPX.
   
5. Modify AccessDeniedNew.ASPX as desired.  To add text or other HTML elements to this page, be sure to introduce them within <asp:Content tags. In the example below, formatted text has been added so that it will appear just below the "Sorry, this site..." message.  The intent here is to keep the message simple in order to facilitate rapid comprehension and engagement. Added text is highlighted.
   
6. After completing the modification on this WFE, copy the CustomPages subfolder into the LAYOUTS folder of each of the other WFEs.

   NOTE: if you don't do this, your users will experience inconsistent responses - some getting the default accessdenied page and some the new one, depending on which WFE the farm's NLB service routed the user's request to.

7. Open a SharePoint Management Shell using a farm administrator account having the SharePoint_Shell_Access role for the farm configuration database.  To check for those accounts that do have this role for the farm configuration database, execute Get-SPShellAdmin.
8. Execute Get-SPCustomLayoutsPage to view what custom pages have already been configured. If you haven't configured any custom message pages yet, you will see something like the following:
   
9. Execute the command that will update the farm configuration database to point to the new location of the AccessDenied page:

   Set-SPCustomLayoutsPage -Identity "AccessDenied" -RelativePath "/_layouts/15/custompages/AccessDeniedNew.aspx" -WebApplication "http://MyWebApplication"

   The AccessDenied page path is now updated:
   
10. Open a browser using a standard account, and then navigate to a site or page that your account does not have access to.  The new AccessDenied page is presented.  Note that an IISReset does not need to be performed.  The change takes affect immediately.
    

References

• SharePoint 2013
• How to set custom access denied pages in SharePoint 2013?
• Access Denied on SharePoint Root Site - even though access is given
• How to Customize the "Sorry, this site hasn't been shared with you"
• Set-SPCustomLayoutsPage
• Get-SPShellAdmin
• Add-SPShellAdmin
• SharePoint 2010
• SharePoint 2010: How to Customize Application Pages
• How to Customize Error Page, Page Not Found and Access Denied in SharePoint 2010
• SPWebApplication.UpdateMappedPage method

Notes

• Thanks to KeithTuomi for his response, to this posting, providing the necessary steps.
• This procedure was performed on a small, traditional-topology SharePoint 2013 farm that includes one DB, one App and two WFEs in (Windows) NLB configuration.
• Using the steps shown in this posting, you can also deploy custom Confirmation, Error, Login, RequestAccess, Signout and WebDeleted pages. Just change the value of the Identity parameter appropriately.