The problem happened when a user purposely failed 3 login attemps to site that's hosted on IIS 7.0 and all you got on the screen was a blank IE page with "Done" in the status. So what is going on here? Did the user really failed the authentication or not?

The answer is yes, the user did failed the authentication, however the IIS 401 error was bypassed by IIS 7.0 as the default settings. I don't why, but here is how to get the error message back.

- In the IIS 7.0 server, locate and open the file in notepad, "C:\Windows\System32\Inetsrv\config\applicationHost.config".

- Find and replace ALL of the string "PassThrough" to "Auto" in the section <httpErrors existingResponse="PassThrough" /> in the file

- After the above settings, IIS error pages was displayed correctly.

I bet you'd never been so happy to see "Access Denied" error message.