This is my first question here, so please let me know if I have missed something or need to provide more information!
Key details:
C# 4.5
IIS 7.5 (Win 2008 R2)
Sitecore 6.6 rev 130529
I'm attempting to link Sitecore to the VS2012 LocalSTS instance provided by the Visual Studio Identity and Access Tool, following a blog post by Kevin Buckley (link) which was written before WIF was integrated into C# 4.5. I am attempting to perform passive RP behaviour.
I have updated the Microsoft.IdentityModel namespaces to System.IdentityModel and System.IdentityModel.Services namespaces as appropriate.
My <system.IdentityModel> section is as below:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="http://localhost/" />
</audienceUris>
<certificateValidation certificateValidationMode="None" />
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="LocalSTS">
<keys>
<add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
</keys>
<validIssuers>
<add name="LocalSTS" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
My <system.identityModel.services> is as below:
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true"
issuer="http://localhost:14691/wsFederationSTS/Issue"
realm="http://localhost/"
reply="http://localhost/sitecore modules/fedauthenticator/sso"
requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
I have added the relevant modules (WSFederationAuthenticationModule, SessionAuthenticationModule) under <system.webServer><modules> :
<add type="Sitecore.Web.RewriteModule, Sitecore.Kernel"
name="SitecoreRewriteModule" />
<add type="Sitecore.Nexus.Web.HttpModule,Sitecore.Nexus"
name="SitecoreHttpModule" />
<add name="WSFederationAuthenticationModule"
type="System.IdentityModel.Services.WSFederationAuthenticationModule,
System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
preCondition="managedHandler" />
<add name="SessionAuthenticationModule"
type="FedAuthenticator.Authentication.WSSessionAuthenticationModule,
FedAuthenticator"
preCondition="managedHandler" />
The behaviour I am seeing is as follows:
User navigates to a page that is protected by Sitecore
WIF FAM module fires and at EndRequest, determines that a 401 status is returned
WIF FAM redirects to LocalSTS IdP as per settings (with appropriate querystring)
Javascript auto-submits form - I have disabled JS in browser for testing this but it works
LocalSTS page POSTs to URL specified in reply attribute with token information in the wresult field of the form
This is where the issue occurs. My understanding is that the FAM hooks the AuthenticateRequest event and then proceeds to detect the security token (via the presence and values of the wa and wresult form fields) and decodes the SSO token.
My issue is that this never occurs - I have enabled tracing and overridden the WSFederationAuthenticationModule to check, and although it correctly detects the event the first time and calls the CreateSignInRequest and RedirectToIdentityProvider steps, the subsequent POST to the site (containing the token) does not fire AuthenticateRequest and hence the FAM does not detect, create a cookie, or assign the correct IPrincipal to the request.
This leads to an endless loop where the request receives 401, is 302 redirected to the LocalSTS SSO page, which submits, POSTs to the Sitecore SSO page, which delivers a 401, etc etc.
Can anyone provide some insight into something I am missing, or anything else that might be hindering the FAM from detecting the POST request with token information in it?
Embarrassingly, to answer my own question - the reason this was occurring was that the response parameter was directing the SSO form POST to a URL that Sitecore responded to with a redirection to the NotFound page (ie the POST target was resolved by Sitecore to not exist).
As the NotFound page did not have any security, AuthenticateRequest was not firing.
I have yet to work out why the NotFound page was causing a redirect back to the SSO page - but at least now, once I corrected the incorrect value in the response configuration field, the token is being detected by the FAM and correctly processed for later modules (SAM, etc).
Edit - found the cause of the redirect loop
The redirect loop was caused by an erroneous setting in the web.config, which looked like below:
<authorization>
<deny users="?"/>
</authorization>
This meant that the token was posted to the NotFound page, which Sitecore apparently intercepts the request for and hence wasn't firing the FAM, therefore the user was not authenticated. This resulted in a 401 response code (due to the deny statement) that kicks off the SSO redirect - creating a loop.
Related
I have a web application that I am working on where I create a cookie called "AuthCookie". I insert this cookie into the response as shown:
Response.Cookies.Add(authCookie);
I then redirect to another webapplication. In that webapplication, when i run the following code:
var test = Request.Cookies["AuthCookie"];
The cookie is null. I look in the list of cookies and "AuthCookie" is no longer there. In the web.config of this website, "AuthCookie" is the name of the Forms Authentication....
<authentication mode="Forms" >
<forms name="AuthCookie" loginUrl="https://localhost/Test/Authenticate" timeout="2" requireSSL="false" domain=""/>
</authentication>
When I change the name of the cookie that I created to something else like...AuthCookie2, the the issue does not occur. When I am redirected to the second website, the cookie remains in tact and "Test" is not null.
My knowledge on Cookies is a bit weak when it comes to Forms Authentication. Can someone explain to me why this is happening? I've googled left and right, but to no avail. I also need to have the names remain the way they are. Simply changing the cookie name isn't an option for me.
I'm dealing with the Sitecore app that stores some 'items' into the cart for users that are not authenticated (I guess they should not be) using code like this:
this.Session["abc"]
Then once user arrive on cart page and wants to proceed than if he waits too long more than a minute than value in the session is lost !
Here is my web.config relevant settings:
I'm at the end of my ropes here and don't know what is cleaning my session?
<sessionState mode="InProc" cookieless="false" timeout="20" sessionIDManagerType="Sitecore.FXM.SessionManagement.ConditionalSessionIdManager">
<providers>
<add name="mongo" type="Sitecore.SessionProvider.MongoDB.MongoSessionStateProvider, Sitecore.SessionProvider.MongoDB" sessionType="Standard" connectionStringName="session" pollingInterval="2" compression="true" />
<add name="mssql" type="Sitecore.SessionProvider.Sql.SqlSessionStateProvider, Sitecore.SessionProvider.Sql" sessionType="Standard" connectionStringName="session" pollingInterval="2" compression="true" />
</providers>
</sessionState>
and
<authentication mode="None">
<forms name=".ASPXAUTH" cookieless="UseCookies" timeout="90" />
</authentication>
I guess you don't need to be authenticated to use the session?
And yes I did check the code ensuring that nothing nullifying my session.
Issue with 1 minute session timeout often happens when you don't have VisitorIdentification in your layout. Sitecore considers every new visitor as a potential crawling robot and tries not to use 20 minutes session if not necessary.
Make sure you have VisitorIdentification in your layouts. You can add it for Web Forms like that:
<%# Import Namespace="Sitecore.Analytics" %>
<sc:VisitorIdentification runat="server" />
and for MVC like that:
#using Sitecore.Mvc.Analytics.Extensions
#Html.Sitecore().VisitorIdentification()
If your Visual Studio still complains that it cannot find VisitorIdentification type in Sitecore.Web.UI.WebControls namespace, check whether Sitecore.Analytics is referenced from your web project and if Sitecore.Analytics is registered in <system.web><pages><controls> in web.config:
<add tagPrefix="sc" namespace="Sitecore.Web.UI.WebControls" assembly="Sitecore.Analytics" />
EDIT:
Think about having thousands of sessions for robots and each of them can be pretty heavy in terms of RAM usage. If they are all kept for 20 minutes, they can kill the server easily. That's why Sitecore changes session timeout for every new user and sets it to 1 minute.
If Sitecore layout is configured properly and there is VisitorIdentification included, your browser will automatically execute another request to your server and your session timeout will be extended to default setting from web.config (e.g. 20 minutes)
Whenever I select a message in ECM it redirects me to the login page of Sitecore with the following URL at the top
http://example.com/sitecore%20modules/shell/EmailCampaign/UI/Dialogs/MessageBody.aspx?message={79D6412B-824A-4349-8B94-9136D17C6E84}&lang=en&contact=Emailcampaign\exampleuser_at_example_dot_com
The following are the things I know about this issue:
Though this happens most of the times, Sometimes it will work for the same message and for the same preview user (For the contact mentioned in the URL above).
The sitecore user trying to access the message in ECM has all access rights for the message he is trying to access.
I have a test environment running on a different server where this works fine. But in the production environment it is not working.
I am running my site on Sitecore.NET 6.6.0 (rev. 121015) version.
When the sitecore redirects me to the login page with the above URL at the top. I cannot login using that page. I have to go to
http://example.com/sitecore/
in order to log back in.
The Item ID in the URL is correct and it points to the message that I am trying to view.
[Updated]
We resolved this issue by adding a custom preview handler in web.config like this
<previewManager defaultProvider="customPreview" enabled="true">
<providers>
<clear />
<add name="default" type="Sitecore.Publishing.PreviewProvider, Sitecore.Kernel" />
<add name="customPreview" type="PackageName.CustomPreview, PackageName" />
</providers>
</previewManager>
Here is the code behind for that custompreview:
public class CustomPreview : Sitecore.Publishing.PreviewProvider
{
public override void SetUserContext()
{
string shellUser = this.GetShellUser();
if (!string.IsNullOrEmpty(shellUser))
AuthenticationManager.SetActiveUser(shellUser);
else
{
if(!Sitecore.Context.User.Name.Split('\\')[1].Equals("Anonymous"))
AuthenticationManager.SetActiveUser(Sitecore.Context.User.Name);
}
}
}
[Old]
We resolved this issue. Strangely, this was related to badly configured load balancer. We still need to find what is going wrong in the load balancer but we don't face this issue when we remove one of the servers from the load balancer i.e., When the traffic goes only to one particular server, this issue doesn't occur. Since our test environment is deployed in only one server we never faced this issue there.
This sounds like there is something missing in the core database.
I would check to make sure the roles that ECM requires are present in the core database and also check that you have the correct setup to facilitate users with the domain emailcampaign\username.
If this doesn't resolve the issue there is a diagnostic tool you can run here to help you debug further:
https://kb.sitecore.net/articles/553662
Failing that contact Sitecore support - they have more tools to help with debugging issues with ECM
Is there a way to edit/add some information to the asmx web service page? I would like to add some links to some external files that is helpful for the service. Currently, it's displaying something like this:
My Web Services
The following operations are
supported. For a formal definition,
please review the Service Description.
TestMethod
I would like to add a link after the "TetsMethod". Thanks.
I was facing the same problem and found the wsdlHelpGenerator element in web.config could help me out.
https://msdn.microsoft.com/en-us/library/ycx1yf7k(v=vs.100).aspx
I took the source code of the generated help page, hand edited what I needed into it, and saved it as a static html file that I then hooked up to the wsdlHelpGenerator element:
<webServices>
...
<wsdlHelpGenerator href="help.html"/>
...
</webServices>
I also needed to add the following to my system.web section:
<system.web>
...
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
...
</system.web>
I am trying to set a loginPage value on a Sitecore site in the web.config. The file referenced in the loginPage is an Sitecore item, so it is not a psycical page on the server. No matter how i reference to it, it doesnot work. I get one of 2 errors (depending on how i refrecen to the file);
The resource cannot be found.
Error executing child request for /sitecore/login. (The path beeing the one i referenced in the web.config)
Any ideas?
The explanatory comment in web.config says that 'loginPage' attribute should be The path to the login page to use. Must point to a physical file or a page in a site that does NOT require login. 'Require login' means denied Read permissions for the Anonymous user. This Anonymous user is the one in the domain specified for this site.
For instance, if you want to have login page set for the 'website' site, you should make sure that extranet\Anonymous has read permission to the item you specified.
Hope this helps.
The loginPage attribute is actually a URL, not an item path. Include the full path with extension -- e.g. /MyAccount/Login.aspx
Try hitting the url in the browser to your login page. If you cannot reach the page itself or if it throws an error in the browser then accessing it in the web.config will not work.
Once you have the login page coming up in the url in the browser using the path yoursite/login or whatever sitecore tree path you have set up. Then add it to the web.config.
Also, in the content tree you can click on security and access viewer for the login item. Then select the anonymous role. If its is a security issue then you will see which role is affecting the security settings for anonymous.
Type this in browser"Url of ur website/Sitecore/showconfig.aspx" .. Here you will get a combination of all the .config files being used. Also, you can just check in fiddler(a software) to see what else you get in response apart from resource can not be found.
Would be nice if you could also paste the settings you applied in the web.config, but this is how I understand the question.
You wanted to create a client user login page, not overriding the Sitecore login page.
If so, you have to ensure that it's under the home item (sitecore> content >home > YOUR_LOGIN_PAGE).
If outside the home item, eg. sitecore> content >YOUR_WEBSITE > YOUR_LOGIN_PAGE then you have to configure that in the sitedefinition.config because that is somehow treated as a new site and not part of the freshly installed Sitecore.
To validate that you have applied it correctly, try accessing the showconfig page on your browser (eg. http://YOUR_WEBSITE/sitecore/admin/showconfig.aspx)
Additional stuffs you might want to double check:
Make sure you were able to publish it on the web database, if not try accessing in the preview mode
Make sure that the item has layout and rendering definition. Otherwise, it won't work.
Make sure you have the right permission, for you to be able to access the page. I would assume you're in the admin role
This issue can be caused by modified setting :
<setting name="RequestErrors.UseServerSideRedirect" value="false" />"
which is false by default.
According to notes in config file If true, Sitecore will use Server.Transfer instead of Response.Redirect. But Server.Transfer is not good option for regular login page redirect because:
ASP.NET does not verify that the current user is authorized to view the resource delivered by the Transfer method.
You can change it in Sitecore.config file
<site name="shell" ... loginPage="yoururl" ... />
<site name="login" ... virtualFolder="/yoururl" ... />
<site name="admin" ... virtualFolder="/yoururl" ... loginPage="/yoururl/login.aspx" />