Gaining access to back end after LDAP configured
I appear to have gotten myself into a bit of a pickle. I installed, configured and created pages and content within a 5.4 installation. A client then informed me that they wanted Active Directory integration with SSO. I configured things for the integration yesterday and went home. When I got back in this morning, my previous administrative user session had timed out. Being as I had not fully configured roles for AD users/groups to have back end access and SSO is enabled, I'm not 100% clear on how to return to the default authentication provider so that I can log in using the standard form.
Can anyone shed some light on a process on how to achieve this either through perhaps a query string argument, configuration change or database tweak to give at least a known AD user (mine) access to the back end?
If you edit the security config manually (and recycle the app pool, could you give your role admin rights for now?
<roleProviders> <add description="AppRolesDescription" type="Telerik.Sitefinity.Security.Ldap.LdapRoleProvider, Telerik.Sitefinity" applicationName="LdapBackend/" enabled="True" name="MyADRoles" /></roleProviders><administrativeRoles> <role roleProvider="MyADRoles" roleName="SITE_Admin" /></administrativeRoles>I suspect that I either disabled Default or overwrote it (getting a hit on the latter) when configuring LDAP with SSO via the STS application as I get the fairly immediate "You do not have permission to access" message. What I can do differently in the future is to leave it present until I know that everything is sorted and working properly.
I've tried what you suggested with the security configuration with no change in the experienced outcome.
You should still be able to edit your security config to re-enable default though...by default it IS enabled, so in order to turn it off the "enabled" flag will trip to false...so since that is different than the default setting it will appear in the config file for you to edit.
Confused? :)
I'm with you on that re the state of enabled/not enabled. Knowing what you're telling me that it is enabled by default (as it isn't present within the security configuration file), what I feel and believe is happening is something (ldap provider?) is grabbing the the authentication process before the default.
When you go to site.com/Sitefinity you do or do not see a dropdown for default\ldap?
I do not see the original login form with a drop down option, no.
...can you send me your securityconfig? steve at sitefinitysteve com?
Sent. If we're able to nut this out, I'll follow up with resolution information so that others can also have the knowledge and it is searchable.
For the benefit of others that may be seeking the same information, Telerik support response on this is firstly re-enabling manual log in (I chose on the day to restore the VM to a known state to reduce time required):
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost" realm="http://localhost" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>