Authentication issues with 7.2 upgrade
We have an Enterprise Multisite install in a load-balanced environment that we have recently upgraded to version 7.2 from 5.4. We have since then run into many issues with authentication, and we were hoping someone else might have overcome similar issues or otherwise be able to help us with this.
Since we are seeing similar issues in our non-load balanced development environments, I'm not sure that the load balancer has anything to do with the problem, but I mention it because it is an additional variable.
First off, we believe that we have the security settings correct, set according to the instructions at docs.sitefinity.com/administration-configure-security. However, since the instructions are somewhat ambiguous, we are not 100% certain.
We are using claims-based authentication with two membership providers, the Default sitefinity provider and an LDAP provider pulling from Active Directory.
On both servers we have the following settings:
Settings > Advanced > Security > SecurityTokenIssuers
http://localhost
https://localhost
oursite.com/.../SWT
oursite.com/.../SWT
Settings > Advanced > Security > RelyingParties
http://localhost
https://localhost
http://10.1.2.108
http://10.1.2.109
http://oursite.com
https://oursite.com
with the IPs being the IP addresses of the servers in the load balancer. These are all set up to use the Default membership provider.
The behavior we are seeing is twofold:
1) When a user logs in to the site, the SF-TokenId and FedAuth cookies are being added to the browser, but the browser is not always redirecting anywhere (i.e., it is staying on the login page), although the redirect_uri querystring is populated with a location. If a user manually enters that redirect_uri into the browser's address bar, they can visit that page as an authenticated user without an issue.
2) When a user tries to log out via oursite.com/.../SignOut, the authentication cookies are not always deleted, and the user remains effectively logged into the site.
In both of the above cases, the normal login methods occasionally do seem to work correctly (i.e., on login the user is redirected correctly, and on logout the authentication cookies are deleted), but I have been unable to determine a condition that might cause this. The most reliable way to get things to work correctly is to start with a "clean slate", that is a browser in which the history has been completely cleared (cache, cookies, authorization, etc).
Any suggestions would be useful.
Hello Joseph,
I have already answer you in the support ticket.
Once there is a resolution you can share it with the community.
Regards,
Svetoslav Manchev
Telerik