AD integration causes redirect loop
I have followed the instructions for setting up SSO with Windows Integration exactly.
But i cannot access the site using my windows credentials. It ends up with a redirection loop to any page, except the adminstration/settings page which gives a: You do not have a permission to access "/<SiteName>/Sitefinity/Administration/Settings".
I have verified that the AD paths and credentials return groups and users appropriately.
Any help would be great.
Hi,
Have you given the appropriate permissions to the AD user in the Sitefinity backend? When you configure the LDAP, you need to assign permissions to the returned Roles or Users, otherwise they will not have the ability to access the backend.
Would it be possible to try the following: Disable Single Sign On and try logging manually to /Sitefinity and select LdapUsers as the provider, that way you will be able to see what permissions your user has.
All the best,
Atanas Valchev
the Telerik team
I am having the same issue. My LDAP user account has backend access. What else could the problem be? I noticed that my name claim includes the domain name, could that be it?
I'm currently having a support ticket open regarding almost the same issue: Sitefinity 6.1SP1, SSO, Windows Authentication with LDAP.
The difference is that I get the redirect loop only when I'm already logged in through a different browser, and only on frontend pages that require authentication. Something about the SelfLogout redirect seems to be broken here, but works fine when I go to /Sitefinity.
Can you guys provide a bit more information (can you access frontend pages that require authentication? What happens when you go to /Sitefinity instead of /Sitefinity/Administration/Settings? What version of Sitefinity?)
I'll keep you updated when I receive more information.
Chris
I'm using a fresh install of SF 6.1 and I don't have any front end pages. I can log in to the backend as an LDAP user with no problem, so I know that I have the proper roles. When I change the config file to point to the STS I get the redirect loop after logging in. This occurs regardless of whether I'm running SitefinityStsWebApp locally (IIS Express) or on a real server with SSL. It definitely appears to be a permission issue.
Can you please post the STS-related configuration in the 3 config files?
Here's what I have, and it seems to work fine for accessing the backend (with the STS running locally on IIS Express with SSL):
SitefinityWebApp: web.config
<
federatedAuthentication
>
<
wsFederation
passiveRedirectEnabled
=
"true"
issuer
=
"https://localhost:44300/mysts.ashx"
realm
=
"http://localhost"
requireHttps
=
"false"
/>
<
cookieHandler
requireSsl
=
"false"
/>
</
federatedAuthentication
>
<
securityTokenIssuers
>
<
add
key="<key>" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
<
add
key="<key>" encoding="Hexadecimal" membershipProvider="LdapUsers" realm="https://localhost:44300/mysts.ashx" />
</
securityTokenIssuers
>
<
relyingParties
>
<
add
key="<key>" encoding="Hexadecimal" realm="http://localhost" />
</
relyingParties
>
Hi,
Thank you Chris for sharing your configurations. All of the configurations are correct. I want to note that the key that you are using should be the same in all configuration files and lines. For instalce:
SecurityConfig.config file
<
securityTokenIssuers
>
<
add
key
=
"C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE"
encoding
=
"Hexadecimal"
membershipProvider
=
"Default"
realm
=
"http://localhost"
/>
<
add
key
=
"C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE"
encoding
=
"Hexadecimal"
membershipProvider
=
"LdapUsers"
realm
=
" http://localhost:15000/mysts.ashx "
/>
</
securityTokenIssuers
>
<
relyingParties
>
<
add
key
=
"C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE"
encoding
=
"Hexadecimal"
realm
=
"http://localhost"
/>
Web.config file:
<
wsFederation
passiveRedirectEnabled
=
"true"
issuer
=
"http://localhost:15000/mysts.ashx"
realm
=
" http://localhost"
requireHttps
=
"false"
/>
<
add
key
=
"http://yourwebsite.com"
value
=
"C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE"
/>
http://localhost:15000
is the url of the STS site andhttp://yourwebsite.com
is the url of your web site Furthermore, you needs to make sure that IIS configurations for STS site are correct.
Furthermore I would suggest you to review our Sitefinity documentation regarding configuration SSO:
www.sitefinity.com/.../setting-up-sso-with-windows-authentication
Quick update on the issue I mentioned above: The STS redirect loop for pages that require authentication has been fixed with Sitefinity 6.1 SP2.
Hi,
I am glad to hear that the problem has been fixed.
Regards,
Stefani Tacheva
Telerik