Sitefinity $30K Shakedown or Concurrent CMS User Limit is Broken
Sitefinity’s licensing model of “N concurrent CMS/backend” users just doesn’t work as advertised, because Sitefinity has NO way of distinguishing a back end request from a front end request. So, if you secure your front end, the so-called concurrent CMS user limit even affects front end access...that’s right…users can be denied access to a front end page because of the so-called concurrent CMS user limit. Good luck finding that spelled out somewhere in any documentation. Why isn’t this clearly explained? Sitefinity’s security model is also flawed because it tightly couples authentication and authorization, which I always thought was a big no-no. This leads to some other big problems.
Imagine being denied access to the front end and seeing a dialog that says “…Up to N users can be logged into the backend at the same time” when browsing to a front end page, you would be forgiven for thinking this was a bug. I mean, why else would you see a message about backend access when trying to hit a front end page? A very good question, but be prepared to be disappointed by the answer. I realize this is a long post, but please read to see the full scope of what this means and how it might affect what you pay in licensing costs.
Any time a user with the backend user role assigned views a secured front end page, they are logged in and the concurrent CMS user count is incremented. Once the Nth user with the backend role logs in (where N is the concurrent user limit of your license) no more users that have the backend role assigned can view a secured front end page. This blatantly contradicts what the Sitefinity pricing page says about concurrent CMS users. It makes no mention of the fact that this limit also places restrictions on front end access.
Big deal, you say...just don’t secure your pages. Well, because of the way Sitefinity so tightly couples authentication and authorization if you want to use Telerik’s SSO with Windows authentication implementation you can’t just authenticate your users. Meaning if you want to know a user’s Windows identity, they must hit a secured page (authorization). So, if you need to make sure you always know who a user is, you must secure all pages.
Where this can really become a problem is if you use Sitefinity for your intranet. For most intranets, knowing the identity of users is pretty important, not to mention pretty standard stuff. You also will typically have a large number of users who need back end access. The fact that Sitefinity now has “Intranet Edition” licenses that come with more CMS users than the equivalent “Website Edition” license indicates that Telerik agrees with that principle. These content creators are also frequent visitors of the site’s front end. So, with the SE or PE licenses, it’s very easy to have a situation where users are denied access to the front end because of the so-called concurrent CMS user limit. I have to wonder if the reason the “Intranet Edition” licenses just popped up out of nowhere is because Telerik realized that their licensing model combined with a flawed security model was going to screw their customers who use Sitefinity for their intranet.
When I’ve brought this issue up to Telerik, it’s been met with a gamut of responses. I’ve been asked “Is there any reason for making all the users members of the "backend users" role at first place?” (an actual quote from a Telerik employee) Are you flipping kidding me? Why is that relevant? The product supports giving it to any number of users, right? Why shouldn’t I give it to all my users if I want? There’s nothing in the license that prohibits this so why should I use the product in a way that limits its usefulness just to compensate for a flawed security model? But it just so happens that I do have a very good reason for wanting all my users to have back end access. BECAUSE INTRANET.
But the one response that I find the hardest to comprehend is “Why not add more CMS users to your license?” Sure, I’ll pay extra for your product’s defect, sounds perfectly reasonable. Normally when I find a flaw with the product Telerik pays me (in Telerik points) this time, I’m expected to pay them. And we’re not talking small potatoes here. To do what I want, which is for every user to have back end access, I’d need unlimited users. I don’t need unlimited concurrent CMS users, I just need unlimited total CMS users. 10 users in the backend at a time has worked fine for us for over 3 years.
So, Telerik’s attempt at making this right, is to offer me Enterprise Edition with unlimited CMS users for $30K. Because I have PE now, if I did go to EE I would lose the unlimited subdomains I’m currently grandfathered in for on my PE license and I would now have to pay to register any subdomains beyond the 5 included in EE , including ones I’ve already registered! I guess Telerik feels this is a good deal because they are going to jack up the prices on ALL licenses very soon and EE will come with unlimited users. I suppose they think because I would get the “new” EE license at the “old” price I’m supposed to jump for joy. Maybe I would if I wanted EE, but I REALLY don’t. I desperately want to keep my PE license and I don’t feel like I should have to pay SO MUCH for something that I was told would work: Knowing who a user is while maintaining an unsecured front end. This is an intranet, I don’t need to secure my pages. If you can log in to the domain, you can view our intranet. Sitefinity provides no mechanism to make this possible, despite what I was told long ago.
Telerik has admitted to me on several occasions that their security model does indeed couple authentication and authorization and that they plan to correct that in a future release. So, when that happens, and I no longer need EE with unlimited users… would I get a refund? Telerik’s position is that I’m getting a deal, but I just don’t see it that way. I’m expected to pay a HUGE amount of money for a license I neither need nor want, and lose features I do want, just to work around a flaw that they have admitted to and are planning on fixing? I'm sorry, but that just causes me to feel outraged...
It’s very tough to sell management on a $30K purchase when they’re used to paying $3K/yr in renewal costs, especially since the only reason is to make up for a flaw in Sitefinity’s security model. PE has worked for us for 3+ years with no problem. We’ve recommended Sitefinity and other Telerik products to many organizations and Telerik has landed some very high profile clients because we sold those clients on Telerik. This kind of thing makes it hard for me to want to do that in the future.
Wow yeah I always *assumed* that the backend limit didn't increment unless someone had page edit enabled orwas physically IN the backend.
Totally seems like the Intranet Edition was created because of this....
Elaborate on the "Pay for Subdomains"...??? We WERE assured the licensing changes (us having to now ASK for them) wouldn't lead to future hosing, and it was just for analytics purposes... (although I did call this one)
If I move to EE, I'm now subject to the subdomain pricing policy. Which means I get 5. If I want to keep the 7 subdomains I currently have on my PE license, I'd have to pay for 2 of them...despite the fact that when I registered them, the policy of my license was for unlimited subdomains. The act of moving to a new license will nullify that agreement and I'm subject to standard subdomain pricing policy. So, I get double boned...
From version to version I had the feel, to move customer sites to other product ... how i track forums and other sources 7-th version seems to be a dissaster such version 4.x
The Sitefinity version 7.0 is our best release to date and you can make a quick reference to our release timeline to see how the platform is constantly evolving. It is also important to note that every Sitefinity license comes with unlimited sub-domains for non-production purposes (e.g. development, testing, staging, etc. environments). Most Sitefinity editions also come with unlinited number of production and non-production servers.
In regards to concurrent users, I wouldn't say that the Sitefinity concurrent user limit is broken since it is there to limit the number of concurrent users that are authenticated and authorized to access the CMS administration regardless of what they are doing on the website. However, I also don't want to get into this discussion because I feel that it won't be very productive since you've already had many conversations with senior members of our sales, support, and product teams.
Whatever word you use, the fact remains that Sitefinity couples authentication and authorization, which are not the same thing. I've been told by several people that the Sitefinity team is aware of this behavior and aware of the need to correct, which seems to imply something is "broken".
I fully understand the need for a licensing model, and honestly I have no problem with imposing a limit on concurrent users of a secured front end or a front end with inline editing enabled. My problem is that I want neither, but to simply know who a user is (authentication) I need to have them hit a secured page (authorization).
It's very hard to justify spending $30K to work around a (fill in the blank) security model. I also think it REALLY sucks that I will have to apply some clumsy hack that will waste even more of my time implementing it everywhere I need it and make sure that all new developers don't forget to apply the "magic hack". I don't even want to think about when I will have to go back later and rip it all out when authentication and authorization are finally de-coupled. All that because of a (fill in the blank) security model that Telerik admits needs to be fixed.
I had such high hopes that SSO would eliminate the need for elaborate work-arounds just to know the identity of a Windows user on an unsecured front end, but it seems we are no closer than when 4.0 was released.
Totally agree here, Sitefinity should be able to differentiate between a real backend user or users whose roles permit access to Sitefinity admin features and Frontend users who are just part of the public website membership system. On the basis of what you are saying, please correct me if I am wrong, I will lose access to the backend as soon as five users (we use SE) of the site are simultanteously logged into their user accounts on my site. Also no other users will be abe to log into their accounts. I had no idea that this would be the case and it seems totally wrong. So wrong in fact that I would need to seek alternatives to Sitefinity moving forwards.
Mike,
We just got this email today: "We will no longer be offering 5 complimentary sub-domains with each license and going forward every domain name pointing to a production website will require the purchase of a domain add-on licenses." So just 15k X 6 now? Doesn't seem unreasonable...
Hi
i think the Domain based model is very bad. In fact this stop small companies from useing of sitefinity. A Server based Modell should be the fairest. maybee also some Limits of max. Domains per Server.
Dear Mr B! You can not be serious, right?!
Fully agree Mr Matt!
Gunnar, I wish I was joking, but alas, I am dead serious. My tone was perhaps a bit too harsh, but everything I said is true.
I checked the pricing page and you're right that it is vague: "You may create unlimited number of users/accounts. However, the number of users accessing the Sitefinity backend simultaneously depends on the edition purchased."
That does definitely sound like it's a limitation of people actively using the backend rather than people with potential access to the backend. I would definitely recommend Telerik modify the wording there... (actually it would make more sense to modify the system itself, but I doubt that's going to happen any time soon).
In the meantime, the question they've asked is a valid one: is there any reason you've given all of your users backend access if you only need a few backend users?
Nick, I don't really think that's a valid question, because they place no limit on how many people you can assign the role to. However, I do have a valid reason. We use Sitefinity for our intranet and I want all my users to have the ability to create content. It's not that I am giving the role to everyone, but only a few need it. I want all my users to be contributing some form of content. We restrict what types of content users can work with based on role and such, but everyone should be able to work with the CMS in some fashion.
It's so frustrating because all the docs, marketing or other "official" literature EXPLICITLY mentions the Sitefinity backend when talking about how licensing works. I've even had to tell people from Telerik's support staff that the limit affected ANY secured content...not just the backend. Just a few months ago, too...How messed up is that? Not even Telerik support staff knows how it works...
However, the number of users accessing the Sitefinity backend simultaneously
This is how I always assumed it worked too...users in inline editing mode or physically IN the backend...not just logged in.
Sidenote: Per-Server licensing is a terrible idea...telligent does this and it's so frustrating. If you think it's annoying having to ask for a new subdomain try to do it when you need a load balancer, dev instance, or migrating to a new server...
That's what I'm saying... I'd bet almost all customers assume that's how it works. Heck, even Telerik support staff is confused about it to the point where they reply to support tickets with incorrect information about how the product works. It wouldn't be such a big deal if all the wording didn't EXPLICITLY mention the backend. It also wouldn't be as big a concern to me if I weren't FORCED to secure all my pages because of the way authentication and authorization weren't so tightly coupled.
Sitefinity does have a way to determine is front end pages verses back end pages and or front end users verses back end users.. It's all part of the membership provider and page meta data.
I've been developing with Sitefinity for years and never ran across an issue with users not being able to access the front end. We have done numerous load testing and simulated user testing and haven't encountered any issues.
I would contact support if you are having some kind of issue like people not being able to access the front end.
Dan, I'm talking about requests, not properties of the PageNode. I realize that Sitefinity exposes that property but that's not what I'm talking about. The simple fact is that the concurrent CMS user count is incremented anytime a user with the backend user role hits a secured page...back end or front end. So, if all your pages are secured you can only have X number of users with the backend role view ANY page concurrently (where X is the number of concurrent CMS users your license allows).
Ahh, yes if the user has the back end user role, then this is counted in the concurrent user limitation.
Does all your users need to have back end access? I can see your dilemma, but generally the sites I have developed with Sitefinity only have no more than 5 users that have back end access. The rest of them are just normal users which do not or would not encounter the issue you describe if all the pages are secured.
I'm going to wager a guess that most of the sites you've developed were for public facing websites, correct? In my case I'm using Sitefinity for an intranet, and while I don't *need* all my users to have that role, I do need a pretty large number of them to have it. Ideally, I would like every single user to be able to contribute content and the fact that the app places no limit on how many people the role can be assigned to....why shouldn't I give it to everyone? I don't need or want them in the backend concurrently, but I do need them to be able to access it.
Our decisions were made based on the EXPLICIT mention of the term "Sitefinity backend" in all the official documentation. If the term "backend" wasn't explicitly mentioned, I wouldn't be so frustrated. But it is explicitly mentioned...and nobody seems to care about how INCREDIBLY misleading that is. Especially in the scenario I describe... an intranet using SSO with Windows authentication where knowing the identity of a user is required. I shouldn't need to secure my entire front end just to be able to grab the user's Windows identity... Once I secure the entire front end, I'm now at the mercy of the draconian licensing model...
Yeah most of them have been public facing. I have done one site which was a intranet and it was integrated w/ Active Directory. However the client had a enterprise level license with unlimited concurrent users. So we didn't run into this issue.
I do feel your frustration though as I have had other issues where as support was no help at all or their answer generally has always been "send us your project and we'll debug it", to me spending thousands of dollars for a product you best have a lot more than "send us your project" to say when supporting your project.
Yeah, well the response I got was "Send us your MONEY". I don't want to go to EE, I don't want my renewal costs to triple for a bunch of features I would NEVER use. I just don't think it's fair to make me pay that price just so I can "workaround" the hare-brained security model. I also don't want to have to implement some clumsy hack to make up for a flaw in the product. Yes, I know it's not a BUG (technically speaking), but it IS a pretty poor design choice. Why can't I simply authenticate a user? Why do I NEED to make them hit a secured resource just to get their identity?
Hi guys,
I wanted to jump in and provide my comments and perspective on some of the points raised in this discussion.
First of all i don't think the language that's being used in some of the posts is appropriate. Talking about "getting double boned" and "hare-brained implementation" is plain offensive. The guys in the engineering and support teams work really hard to build and improve Sitefinity and help you solve problems speciffic to your projects, even custom code outside of Sitefinity. All products have some shortcomings but i don't think this calls for name calling. You can also be sure that offending the people who are best equipped to help you is unlikely to get you closer to a real solution.
That being said. a workaround was provided through the support ticketing system but was deemed as "too hacky". Not sure if there's a deffinition for that but the team spent many hours to provide a solution which was quickly dismissed and then followed by this post. We've also provided licensing discount options but that wasn't accepted as a solution either. Hopefully someone here can provide a solution which is not "too hacky" and does a better job at solving the issue.
Finally about server licensing - i agree with Steve that it's a terrible idea. We investigated that in detail a few months ago and decided not to pursue it. Instead we're implementing domain bundles for each edition which provide more competitive pricing for multiple domains. Details are available with the sales team.
Thanks,
Martin Kirov
Dear Martin
I have said many times before that Telerik can charge whatever they want for the
products. It is only Telerik’s decision to find a price that suits them or their target clients.
But in the past I have felt more than once that every change is leaving a bit of a
sour taste.
The latest licensing changes that you will no longer be offering 5 complimentary
sub-domains is another example. Yes we can register them till the end of August
but if a client does not need them now he/she will lose a right he bought once
and will have to fork out 1'499 $ for each sub-domain they want.
So way back my client bought a SE for 2'999 (or even 1'999) with 5 sub-domains. If
all of a sudden he needs 2 subdomains in September he will have to pay an extra
2'998 USD.
Of course I could have misunderstood the lengthy mails I exchanged.
Markus.
Hi Markus,
I am not sure how this relates to the current thread but all licenses we sell keep the terms at which they were sold regardless of any future license changes. This means that if you purchased a license with unlimite sub-domains it will always have this property. However, if we update the licensing so unlimited sub-domains are no longer part of it all licenses purchased after that point no longer have unlimited sub-domains.
Martin
Dear Martin
I just received an email informing me that the announced changes with the subdomains will not go through.
Good news ... but I received another mail informing me that the renewal of 3.7 licenses will go up to 899$.
While I understand that SF is the best CSM out there and 7.0 is huge over 4.0 (remember the t-shirts) this leaves another sour taste.
I have a 3.7 site with a tone of custom controls that were programmed in VB on a server that would not be able to handle SF 7. A whole reservation, booking system was built around SF 3.7. So migrating would be a huge cost factor for this client (we probably talk about 20k +) and the site is running fine and no need of 7.0 features. We kept renewing so we could use the latest RadControls.
So now I got an e-mail telling me how great 7.0 is and that the renewal cost would be new $899 instead $269 USD (+ 300%)
For something the clients does not want or need.
Furthermore if I bought a SF license 4.0 the renewal price is $599 since the responsive module is not included. Which if thought through would lead to the conclusion that this price could change as well.
This just feels like 7.0 is forced upon us. Believe me I am a huge fan of Sitefinity and Telerik and have not developed with any other CMS but SF since 4.0 and have more than one site running on Sitefinity.
But this mail makes me wonder what changes might surprise me next (besides the recycle bin and other new great features that every release brings)
Just something to think about.
Markus… all licenses we sell keep the terms at which they were sold regardless of any future license changes.