Cannot edit pages if RequireSSL is set to true
We are running SF version 4.3.1885.0.
We have recently turned on RequireSSL for all pages in our site - including all back-end pages. We are using self-signed certs on our dev environments. We do *not* have require ssl set to true in the IIS configuration.
We are getting strange behavior, and some errors when trying to edit our front-end pages via the SF admin screens. With SSL enabled for all pages, we are unable to publish. When we try, we receive the following dialog box message:
"The HTTP request was forbidden with client authentication scheme 'Anonymous'."
If we set RequireSSL to "false" for the *back-end* pages, we are able to publish, but see other issues. For example, when dropping in a content block, we are not seeing the initial Edit Content icon. In addition, if we edit the contents of the block and save the changes, the changes are not reflected in the administrative Edit page view. We can preview the page and see the changes, and publishing the page and returning to edit mode will show the changes.
We need to have SSL enabled for all of our pages, so turning off SSL is not an option for us.
Is there some other configuration setting necessary to properly enable SSL in Sitefinity?
Basically there is no other setting that you need to apply in order to run the Pages in SSL encryption. However in your post you mentioned that you didn't set the "Require SSL" setting in the IIS. Is there any specific reason for that?
the Telerik team
Thank you for the information provided.
After further investigation I found that this is actually a Known Issue in Sitefinity. After pressing the "Publish" of the page you cannot be redirected in the backend. However the page is published and you can access it by the url. Here's the PITS Issue Url so that you can track its status.
Please accept my apologies for the caused inconvenience.
All the best,
the Telerik team
Did you mange to find a fix for this? We're struck with the same issue. After aplying SSL, we cannot edit the content and cannot delete any pages. Please let me know if you have a solution for this?
If your Frontend behavior is normal with SSL enabled, workaround for the Backend issues is disabling SSL (form the page->Actions->Title and properties->Require SSL checkbox)->Clearing the browser cache-> Editing the page, publishing etc(you will be able to edit the page when SSL is off)->Enabling SSL again. I know it is a bit of a hassle but it is an option while the issue is being worked on.
I apologize for the inconvenience caused.
Sitefinity > Administration > Settings > Advanced > ServicesPaths : set your url site without https.
It's unlock publishing workflow for full https site.
Thanks for the information.
I ve a full https site and we don't use Analytics. So we didn't uncomment and it has no impact.
It's probably needed because this is a part of google webApp and requests are differents according to the protocol.
I'm running into the same refresh problem John mention when having a complete SSL secured site (both front and back ends) . Our users will have to hit preview all the time in order to see the changes on the pages. Weird thing is that this do not happen when designing templates. I realized that the update of the content fails for a service call that looks like this:
As Nicolas suggest, I tried to change the ServicePath property on Administration > Settings > Advance > System > ServicesPaths and set the WorkflowBaseUrl property to my root on http without success. As soon I disable "Required SSL" checkbox, my page start working fine again. Does anyone has any suggestion that may help overcome this problem? Thanks
I set required ssl only on Sitefinity folder not on all web site.
Nicolas: Do you have any App_Data folders, such as themes? I heard that they are mapped under "Sitefinity". If so, wouldn't setting SSL to all of "Sitefinity" affect the front end site?
I made a bad explanation there are two folders Sitefinity and it can be confused.
Sitefinity folder are on root (it contains Services), this is not the one under App_Data.
The process I follow for a full https site under IIS 6.5:
- Required SSL on Sitefinity folder on root (it contains Services)
- Set all pages [require_ssl] to 1 into sf_page_data datatable
- Configure Sitefinity > Administration > Settings > Advanced > ServicesPaths with root url site without https
Originally I wanted only Sitefinity backend in https but did not allow it. Maybe on next version.
Thanks Nicolas for clear that out. I will try it and hope that works for me too...
I use base url http://my_site_url/, you don't have to specify directly path to services.
This configuration is useful only to avoid blocking Sitefinity's workflow publication in backend.
If your https configuration is correct event without this, you should be able to navigate on your site.
The big problem here in our opinion - and this does not appear to be fixed in v5 either - is that the administrative pages do not behave correctly for public pages that are under SSL. You have to save as draft, or publish, pages before you can see your changes in the admin screens.
I have a configuration for preview with SSL.
Administration > Settings > Advanced > System > Site Url Settings
- Check Replace Site URL checkbox
- Site URL => https://mysite/
- Check Enable non-default Site URL Settings
- The Host => mysite/
I'm still without luck setting my site under SSL.
I will like to note that as soon as I place a content block in the page, the ZoneEditorService.svc failed and this is the error on the logs:
Type : System.NullReferenceException, mscorlib, Version=126.96.36.199, Culture=neutral, PublicKeyToken=b77a5c561934e089
I'm struggling with this at the moment. Telerik support suggested setting all back end pages to RequireSSL (Which we did). However, the authentication check that is done in certain places on the back end interface seems to be a redirect to another page to check permissions or something, and it passes the URL that is trying to get to to it (/Sitefinity/Authenticate/SWT?URL). When that URL is an HTTP URL (e.g., when you are in Pages, and trying to edit a page that DOESN'T have RequireSSL marked and your backend pages all DO have RequireSSL marked, or vica versa) this jump from HTTPS to HTTP breaks the Sitefinity authentication method.