External Security Token Service issues - Sitefinity - Bugs & Issues

All Replies

Posted by Community Admin on 18-Jul-2012 00:00

When I follow the provided instructions here:

www.sitefinity.com/.../setting-up-sso-with-windows-authentication

Most things work as expected except for the occasional infinite redirect loop, but when I pull up a page in the cms backend and edit it I get this error when I try to publish:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'

I also wrote a variation of the token service to use out standard third party auth and when I publish after logging in with that I get:

Return code: 0

When I examine the IIS logs I can see that an attempt to call
/DefaultWorkflows/PagesApprovalWorkflow.xamlx
resulted in the client side javascript being 302'ed to the login page at which point it seems to abort the request.

Whatever is running the backend services is not acknowledging the login state of the client when I use an external STS.

In the customized token service I have pretty much everything working except the backend services and role updates. I cannot get a person's role claims to be recognized when they log out and log back in after having their roles changed in the 3rd party user data store. Whenever someone logs in their roles are stuck until i recycle the worker pool for the sitefinity site regardless of what the STS is indicating in claims on later logins.

NT auth and sitefinity's built in basic auth are simply not acceptable solutions for our customers. This wasn't to difficult to correct in 3.7 but looks like it might be a dealbreaker for doing new projects sitefinity in the future if we cannot correct it.

edit: forgot to include that I am using sitefinity 5.0.2523.0 on windows 7 using iis 7.5

Posted by Community Admin on 19-Jul-2012 00:00

Probably not much help but, I have just checked and I can publish pages when using an external STS.
I am using Sitefinity 5.0.2860.0 on Windows 7 IIS7.5.
My user is BackendUser AND Administrator, I did notice that I have sometimes needed to re-start IIS and to make security changes propegate through to my browser.

Just downloaded SF 5.1 new 5.1 example STS for download but looks like same code, in slightly different format. Fingers crossed :)

Posted by Community Admin on 19-Jul-2012 00:00

Some feedback that is actually can work is useful and since you are on a later version maybe I need to wipe this installation and start over if I end up spending too much more time without making progress.

Out of curiosity, in your earlier post it sounded like you intended to mod the sts example to your own needs. If you did that could you offer some hint at what you changed?

Posted by Community Admin on 19-Jul-2012 00:00

My requirements were:
Use existing forms based database
Use Custom role provider
Only Sign in once to have filtered content in Sitefnity, but to also use our backend websites.

I have modified the Sts so that the authentication is forms based and uses our existing db, I amended the SimpleWebTokenHandler.cs slightly see below. I also had to point sitefinity at our forms databaase. Security.config and web.config change. I'll post a full description on my other thread this evening.

//var winPrincipal = context.User as WindowsPrincipal;

//if (winPrincipal == null || !winPrincipal.Identity.IsAuthenticated)

// throw new ConfigurationException("This web site is not correctly configured for Windows authentication.");

//var principal = ClaimsPrincipal.CreateFromPrincipal(winPrincipal);

var principal = ClaimsPrincipal.CreateFromPrincipal(context.User);

Posted by Community Admin on 19-Jul-2012 00:00

That is pretty much the same thing I did along with many variants of issuing the roles claims. It is sounding more and more like either I have a buggy version or I have some subtle misconfiguration somewhere in the custom sts I am not seeing.

I look forward to seeing your example to compare.

If there are any Telerik folks reading this here is some detail that may be useful to you:

Since yesterday I did discover that the 302 on DefaultWorkflows/PagesApprovalWorkflow.xamlx was resulting in a second session being started because it was redirecting to the sts and the provided sts code ALWAYS issues a new token id. I corrected that and now the redirect to and back from the sts is fine, but when I return to the DefaultWorkflows/PagesApprovalWorkflow.xamlx. Now it calls ~/Sitefinity/Services/Workflow/WorkflowService.svc and the cleint pops this error:

The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were: '<

HTML><HEAD><link rel="alternate" type="text/xml" href="http://localhost/sf-five/DefaultWorkflows/PagesApprovalWorkflow.xamlx?disco"/><STYLE type="text/css"

>#content FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30pxBODYMARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: whitePMARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: VerdanaPREBORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc.heading1MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366.introMARGIN-LEFT: -15px</

STYLE><TITLE>ContentApprovalWorkflow Service</TITLE>'.

in the IIS log I get a 500 with an exception detail for what I presume to be an internal call that looks like it should be a 401:Log Name: Application

Source: ASP.NET 4.0.30319.0

Date: 7/19/2012 9:40:19 AM

Event ID: 1309

Task Category: Web Event

Level: Warning

Keywords: Classic

User: N/A

Computer: VDI-W7-DEV-17.eim-inc.net

Description:

Event code: 3005

Event message: An unhandled exception has occurred.

Event time: 7/19/2012 9:40:18 AM

Event time (UTC): 7/19/2012 1:40:18 PM

Event ID: 5f37912e4fad439291a049950dbbd76b

Event sequence: 4

Event occurrence: 1

Event detail code: 0

Application information:

Application domain: /LM/W3SVC/1/ROOT/sf-five-1-129871787758435304

Trust level: Full

Application Virtual Path: /sf-five

Application Path: C:\inetpub\wwwroot\sf-five\

Machine name: VDI-W7-DEV-17

Process information:

Process ID: 8876

Process name: w3wp.exe

Account name: IIS APPPOOL\ASP.NET v4.0

Exception information:

Exception type: HttpException

Exception message: You are not authorized to access this page

at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)

at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Request information:

Request URL: http://localhost/sf-five/secure/Action/Edit

Request path: /sf-five/secure/Action/Edit

User host address: ::1

User:

Is authenticated: False

Authentication Type:

Thread account name: IIS APPPOOL\ASP.NET v4.0

Thread information:

Thread ID: 6

Thread account name: IIS APPPOOL\ASP.NET v4.0

Is impersonating: False

Stack trace:    at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)

at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Custom event details:

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="ASP.NET 4.0.30319.0" />

<EventID Qualifiers="32768">1309</EventID>

<Level>3</Level>

<Task>3</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-07-19T13:40:19.000000000Z" />

<EventRecordID>94098</EventRecordID>

<Channel>Application</Channel>

<Computer>VDI-W7-DEV-17.eim-inc.net</Computer>

<Security />

</System>

<EventData>

<Data>3005</Data>

<Data>An unhandled exception has occurred.</Data>

<Data>7/19/2012 9:40:18 AM</Data>

<Data>7/19/2012 1:40:18 PM</Data>

<Data>5f37912e4fad439291a049950dbbd76b</Data>

<Data>4</Data>

<Data>1</Data>

<Data>0</Data>

<Data>/LM/W3SVC/1/ROOT/sf-five-1-129871787758435304</Data>

<Data>Full</Data>

<Data>/sf-five</Data>

<Data>C:\inetpub\wwwroot\sf-five\</Data>

<Data>VDI-W7-DEV-17</Data>

<Data>

</Data>

<Data>8876</Data>

<Data>w3wp.exe</Data>

<Data>IIS APPPOOL\ASP.NET v4.0</Data>

<Data>HttpException</Data>

<Data>You are not authorized to access this page

at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)

at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

</Data>

<Data>http://localhost/sf-five/secure/Action/Edit<;/Data>

<Data>/sf-five/secure/Action/Edit</Data>

<Data>::1</Data>

<Data>

</Data>

<Data>False</Data>

<Data>

</Data>

<Data>IIS APPPOOL\ASP.NET v4.0</Data>

<Data>6</Data>

<Data>IIS APPPOOL\ASP.NET v4.0</Data>

<Data>False</Data>

<Data> at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)

at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)

at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

</Data>

</EventData>

</Event>

Posted by Community Admin on 19-Jul-2012 00:00

Description of my solution here:

http://www.sitefinity.com/devnet/forums/sitefinity/general-discussions/claims-based-auth-with-non-sitefinity-security-token-service.aspx#2194461

Posted by Community Admin on 19-Jul-2012 00:00

I think seeing your working example of security.config shows me something went wrong when I used the admin tools to edit the settings. Looks promising so far. I will update after some additional testing.

Thanks for the example regardless..

UPDATE:
It looks like the security config issue and something I had wrong in the role implementation were most of my issues. That means I have even more work to do, but at least I think I am on the right track. We have wasted weeks trying to do this off the developer docs and I pretty much just did a POC version from scratch in about 6 hours with David's examples.

This sort of detailed example is sorely needed in the Sitefinity 5 Docs.

Thanks again David.

Posted by Community Admin on 06-Feb-2013 00:00

I did a blog post today which might help you. I intend to blog about few advance scenarios as well in coming weeks.

zamd.net/.../

This thread is closed