Unable to get to /Sitefinity with v10 on an upgraded site

Posted by Community Admin on 03-Aug-2018 17:16

Unable to get to /Sitefinity with v10 on an upgraded site

All Replies

Posted by Community Admin on 14-Mar-2017 00:00

I just get this error, and that config URL it specifies loads just fine.  I get this just loading the page itself, not evenat the login screen.

Are there some upgrade docs anywhere, maybe I'm missing something over what the basic upgrade applies?

 

Server Error in '/' Application.

The remote certificate is invalid according to the validation procedure.Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: 

[AuthenticationException: The remote certificate is invalid according to the validation procedure.] System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +298 System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +150 [WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.] System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +764 System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +78 [HttpRequestException: An error occurred while sending the request.] [AggregateException: One or more errors occurred.] System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) +4492572 Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +208 [IOException: Unable to get document from: https://dev.sitefinitysteve.com/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration] Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +664 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62 Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() +290 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62 Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +929 [InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://dev.sitefinitysteve.com/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration'.] Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1287 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +62 Microsoft.Owin.Security.OpenIdConnect.<ApplyResponseChallengeAsync>d__c.MoveNext() +728 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +14139120

Posted by Community Admin on 14-Mar-2017 00:00

Hi Steve,

How did you perform the upgrade procedure? There are quite a bit of changes to the web.config. You can try upgrading using the Project Manager. The Project Manager will apply web.config changes automatically and add new references to your .csproj.

Regards,
Georgi

Posted by Community Admin on 14-Mar-2017 00:00

Yeah i pretty much exclusively use the project manger for updates for this exact reason :/

Is ssl REQUIRED?  Like in a new site it wouldn't be there but an existing site using ssl pulled down local with an invalid cert?

Posted by Community Admin on 15-Mar-2017 00:00

Hi Steve,

You could take a look at the documentation about certificates.

docs.sitefinity.com/authentication-flow-and-certificates

"You must configure this certificate, by navigating to Administration » Settings » Advanced » Authentication » SecurityTokenService » IdentityServer » SigningCertificate."

If you cannot login you should apply those changes using the config file. (e.g. you could create a new test project apply the setting and use it to the existing project). Or you could turn off the SSL and configure it and then turn it back.

Regards,

Dimitar

Posted by Community Admin on 15-Mar-2017 00:00

The problem isn't even I can't login, it's I can't get to /Sitefinity though... like I dont even get to the point of seeing the login page, just throws the above error

Posted by Community Admin on 15-Mar-2017 00:00

Take a look at the documentation and you should register a valid certificate for dev.sitefinitysteve.com

You could apply the changes before login in Sitefinity - by using Authentication.config file directly in AppData/Sitefinity (as I mentioned in my previous answer).

D

Posted by Community Admin on 15-Mar-2017 00:00

Okay will try, thx!

Posted by Community Admin on 15-Mar-2017 00:00

Yeah that's it I guess, if I remove the HTTPS redirect in the webconfig I can get to the backend now...  guess I'll play around with trying to add the cert per your doc there, thx!

Posted by Community Admin on 15-Mar-2017 00:00

Okay not sure what else to do here...

I have a trusted cert, it's added to the Authentication.config

<?xml version="1.0" encoding="utf-8"?>
<authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" encryptionKey="">
<securityTokenServiceSettings>
<identityServerSettings>
<signingCertificate subjectName="dev.sitefinitysteve.com" />
</identityServerSettings>
</securityTokenServiceSettings>
</authenticationConfig>

 

Still get the error on login

Posted by Community Admin on 15-Mar-2017 00:00

Hmm, so just trusted in chrome I think is the problem then clearly, how can it be globally trusted?  Saw this in the warmup logs

Timestamp: 2017-03-15 5:36:36 PM

Message: The page 'dev.sitefinitysteve.com/' failed to warmup with error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.. Requested URL: dev.sitefinitysteve.com/

Posted by Community Admin on 15-Mar-2017 00:00

Eugh this is frustrating

Okay imported the cert to the WINDOWS global trusted store, now all the errors are gone, site warmup seems okay as well (and seems to work! :D)

 

So now the last issue is that when I try to log in with my local creds (which work on http) I get the attached Message in the Login UI

...turn off HTTPS, log in with those same creds, all good again.

Posted by Community Admin on 16-Mar-2017 00:00

Keep in mind that enabling https requires all of the site to use it. Otherwise the cookies wont be sent.

Take a look at - docs.sitefinity.com/administration-configure-http-and-https-bindings-to-work-simultaneously.

 

Have you checked Sitefinity/Administration/Settings/Advanced/Authentication > Require Https?

For investigation of such errors - you can turn on the IdentityServer logging

Sitefinity/Administration/Settings/Advanced/Authentication > SecurityTokenService > IdentityServer > Enable logging and check the Authentication log. There you will find the error details.

The reason not showing the details is that there may be a security sensitive info that the end user should not see.

For more information docs.sitefinity.com/turn-on-authentication-logging

Best,

Dimitar

Posted by Community Admin on 16-Mar-2017 00:00

Can we get the docs updated with the XML for the .config files?  If I can't login I can't get to these pages (working on updating another site atm)... would be nice to just open the config and paste in the settings instead of needing to JustDecompile it to find the propery names (would just be more handy)

Posted by Community Admin on 16-Mar-2017 00:00

Okay for anyone else, the error was

Message: Signing certificate has not private key or private key is not accessible. Make sure the account running your application has access to the private key

1) Open your Certificates MMC 

2) Find your cert

3) Right Click->All Tasks->Manage Private Keys

4) Add your app pool to the list

Posted by Community Admin on 27-Mar-2017 00:00

Hi Steve and Dimitar,

After I upgrade Sitefinity 9.2 to 10 I cannot anymore see the login backend page. I receive immediately a 401 error.

I upgrade my development site with Project Manager and the upgrade was successfully. I launch succesfully the dev website and receive a sucessfully check for the database upgrade. I see no problem into the upgrade log.

To be sure it's not coming of my server I create a new project with Project Manager and launch this new project website I can see the login backend page.

I use IISexpress and Visual Studio for both. Configure in https with Visual Studio, he create for me IIS Express Developement Certificate.

I don't know why with the new project it's ok and for the upgrade website I receive a 401 error page (see attachment).

I look also into log of iisExpress use fiddler but don't find why this issue is coming with my upgrade website. Compare dll and also web.config. Try a lot of thing without success :-/

Can someone give me a help?

Posted by Community Admin on 27-Mar-2017 00:00

In the SecurityConfig. do you have "authenticateOnFrontendLoginPage" set to true?

Posted by Community Admin on 27-Mar-2017 00:00

Right Steve I missed to tell that. Originally he was  set to true "authenticateOnFrontendLoginPage" into SecurityConfig.

I test it also without this term and also with "False" but I receive always 401.

Perhaps he record this into a DB file???

Posted by Community Admin on 27-Mar-2017 00:00

You've shut the browser down, cleared cache... she's all clean that way?

 

Are there any logs that give any details?

 

What about enabling auth logs?

<?xml version="1.0" encoding="utf-8"?>
<authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" encryptionKey="***">
    <relyingPartySettings authCookieExpirationTime="1140" authCookieSecureOption="Never" />
    <securityTokenServiceSettings>
        <identityServerSettings enableLogging="True">
            <signingCertificate subjectName="***" />
        </identityServerSettings>
    </securityTokenServiceSettings>
</authenticationConfig>

Posted by Community Admin on 27-Mar-2017 00:00

I clear cache of the browser,

Here the authenticationconfig:

<?xml version="1.0" encoding="utf-8"?>
<authenticationConfig xmlns:config="urn:telerik:sitefinity:configuration" xmlns:type="urn:telerik:sitefinity:configuration:type" config:version="10.0.6400.0" requireHttps="True" encryptionKey="***">
  <relyingPartySettings authCookieSecureOption="Never" />
  <securityTokenServiceSettings>
    <signingCertificate subjectName="localhost" />
    <identityServerSettings enableLogging="True" />
  </securityTokenServiceSettings>
</authenticationConfig>

 

I use visual studio to launch my dev project and he use localhost:<port> in https.

I receive no log about authentication because he finish before. He stop immediately

About log into IISexpress I can found this but he don't give me a solution...

<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type='text/xsl' href='freb.xsl'?>
<!-- saved from url=(0014)about:internet -->
<failedRequest url="localhost:44386/sitefinity"
               siteId="2"
               appPoolId="Clr4IntegratedAppPool"
               processId="12244"
               verb="GET"
               remoteUserName=""
               userName=""
               tokenUserName="WEBDEV1\gs1admin"
               authenticationType="anonymous"
               activityId="80000110-0000-EE00-B63F-84710C7967BB"
               failureReason="STATUS_CODE"
               statusCode="401"
               triggerStatusCode="401"
               timeTaken="46"
               xmlns:freb="schemas.microsoft.com/.../freb"
               >

If I use the new project into this same log I receive a status-code 200. With the same new project I can also use a "restlet Client" plugin from Chrome and get a response with this line "/Sitefinity/Authenticate/OpenID/.well-known/openid-configuration"

With my sitefinity dev I receive 401 error.

 

 

Posted by Community Admin on 29-Mar-2017 00:00

Finally after a suggestion of Sitefinity support to use the web.config file of the _empty project I do a compare of my web.config and the _empty web.config file. And find which line who causes the issue.

It was this line: "<add key="owin:AutomaticAppStartup" value="false" />" I comment this line and now I can acces to the backend login.

Hope that can help other people.

Regards,

Posted by Community Admin on 03-Jul-2017 00:00

For applications with Configuration files in Azure Database, you need to manually update sf_xml_config_items table with AuthenticationConfig.config settings mentioned above 

Posted by Community Admin on 07-Nov-2017 00:00

Hello, we are using wildcard certificate and can't get this thing working.

We try knowledgebase.progress.com/.../IDX10803-Unable-to-create-to-obtain-configuration-from-error-when-trying-to-authenticate and configuration sugested above.

Our certificate has complex subject, with CN, O, L, S and C set(CN=*.domain.si,O=our company,L=city,s=city,C=US). How do we set subjectName attribute on signingCertificate element. Currently we tried "*.domain.com".

Copy of page with same configuration but nonwildcard certificate works fine in other server.

Regards,

This thread is closed