+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / External Security Token Service issues

External Security Token Service issues

8 posts, 1 answered
  1. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    18 Jul 2012
    Link to this post
    When I follow the provided instructions here:

    http://www.sitefinity.com/documentation/documentationarticles/setting-up-sso-with-windows-authentication

    Most things work as expected except for the occasional infinite redirect loop, but when I pull up a page in the cms backend and edit it I get this error when I try to publish:

    The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'

    I also wrote a variation of the token service to use out standard third party auth and when I publish after logging in with that I get:

    Return code: 0

    When I examine the IIS logs I can see that an attempt to call
    /DefaultWorkflows/PagesApprovalWorkflow.xamlx
    resulted in the client side javascript being 302'ed to the login page at which point it seems to abort the request.

    Whatever is running the backend services is not acknowledging the login state of the client when I use an external STS.

    In the customized token service I have pretty much everything working except the backend services and role updates.  I cannot get a person's role claims to be recognized when they log out and log back in after having their roles changed in the 3rd party user data store.  Whenever someone logs in their roles are stuck until i recycle the worker pool for the sitefinity site regardless of what the STS is indicating in claims on later logins.

    NT auth and sitefinity's built in basic auth are simply not acceptable solutions for our customers.  This wasn't to difficult to correct in 3.7 but looks like it might be a dealbreaker for doing new projects sitefinity in the future if we cannot correct it.

    edit: forgot to include that I am using sitefinity 5.0.2523.0 on windows 7 using iis 7.5
  2. David
    David avatar
    11 posts
    Registered:
    20 Sep 2010
    19 Jul 2012
    Link to this post
    Probably not much help but, I have just checked and I can publish pages when using an external STS.
    I am using Sitefinity 5.0.2860.0 on Windows 7 IIS7.5.
    My user is BackendUser AND Administrator, I did notice that I have sometimes needed to re-start IIS and to make security changes propegate through to my browser.

    Just downloaded SF 5.1 new 5.1 example STS for download but looks like same code, in slightly different format. Fingers crossed :)
  3. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    19 Jul 2012
    Link to this post
    Some feedback that is actually can work is useful and since you are on a later version maybe I need to wipe this installation and start over if I end up spending too much more time without making progress.

    Out of curiosity, in your earlier post it sounded like you intended to mod the sts example to your own needs.  If you did that could you offer some hint at what you changed?
  4. David
    David avatar
    11 posts
    Registered:
    20 Sep 2010
    19 Jul 2012
    Link to this post
    My requirements were:
    Use existing forms based database
    Use Custom role provider
    Only Sign in once to have filtered content in Sitefnity, but to also use our backend websites.

    I have modified the Sts so that the authentication is forms based and uses our existing db, I amended the SimpleWebTokenHandler.cs slightly see below. I also had to point sitefinity at our forms databaase. Security.config and web.config change. I'll post a full description on my other thread this evening.
    //var winPrincipal = context.User as WindowsPrincipal;
    //if (winPrincipal == null || !winPrincipal.Identity.IsAuthenticated)
    //    throw new ConfigurationException("This web site is not correctly configured for Windows authentication.");
    //var principal = ClaimsPrincipal.CreateFromPrincipal(winPrincipal);
    var principal = ClaimsPrincipal.CreateFromPrincipal(context.User);
  5. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    19 Jul 2012
    Link to this post
    That is pretty much the same thing I did along with many variants of issuing the roles claims.  It is sounding more and more like either I have a buggy version or I have some subtle misconfiguration somewhere in the custom sts I am not seeing.

    I look forward to seeing your example to compare.

    If there are any Telerik folks reading this here is some detail that may be useful to you:

    Since yesterday I did discover that the 302 on DefaultWorkflows/PagesApprovalWorkflow.xamlx was resulting in a second session being started because it was redirecting to the sts and the provided sts code ALWAYS issues a new token id.  I corrected that and now the redirect to and back from the sts is fine, but when I return to the DefaultWorkflows/PagesApprovalWorkflow.xamlx.  Now it calls ~/Sitefinity/Services/Workflow/WorkflowService.svc and the cleint pops this error:
    The content type text/html; charset=UTF-8 of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were: '<HTML><HEAD><link rel="alternate" type="text/xml" href="http://localhost/sf-five/DefaultWorkflows/PagesApprovalWorkflow.xamlx?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{MARGIN-LEFT: -15px}</STYLE><TITLE>ContentApprovalWorkflow Service</TITLE>'.

    in the IIS log I get a 500 with an exception detail for what I presume to be an internal call that looks like it should be a 401:Log Name:      Application
    Source:        ASP.NET 4.0.30319.0
    Date:          7/19/2012 9:40:19 AM
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      VDI-W7-DEV-17.eim-inc.net
    Description:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 7/19/2012 9:40:18 AM
    Event time (UTC): 7/19/2012 1:40:18 PM
    Event ID: 5f37912e4fad439291a049950dbbd76b
    Event sequence: 4
    Event occurrence: 1
    Event detail code: 0
      
    Application information:
        Application domain: /LM/W3SVC/1/ROOT/sf-five-1-129871787758435304
        Trust level: Full
        Application Virtual Path: /sf-five
        Application Path: C:\inetpub\wwwroot\sf-five\
        Machine name: VDI-W7-DEV-17
      
    Process information:
        Process ID: 8876
        Process name: w3wp.exe
        Account name: IIS APPPOOL\ASP.NET v4.0
      
    Exception information:
        Exception type: HttpException
        Exception message: You are not authorized to access this page
       at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)
       at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
     
      
      
    Request information:
        Request path: /sf-five/secure/Action/Edit
        User host address: ::1
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: IIS APPPOOL\ASP.NET v4.0
      
    Thread information:
        Thread ID: 6
        Thread account name: IIS APPPOOL\ASP.NET v4.0
        Is impersonating: False
        Stack trace:    at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)
       at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
      
      
    Custom event details:
     
    Event Xml:
      <System>
        <Provider Name="ASP.NET 4.0.30319.0" />
        <EventID Qualifiers="32768">1309</EventID>
        <Level>3</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-07-19T13:40:19.000000000Z" />
        <EventRecordID>94098</EventRecordID>
        <Channel>Application</Channel>
        <Computer>VDI-W7-DEV-17.eim-inc.net</Computer>
        <Security />
      </System>
      <EventData>
        <Data>3005</Data>
        <Data>An unhandled exception has occurred.</Data>
        <Data>7/19/2012 9:40:18 AM</Data>
        <Data>7/19/2012 1:40:18 PM</Data>
        <Data>5f37912e4fad439291a049950dbbd76b</Data>
        <Data>4</Data>
        <Data>1</Data>
        <Data>0</Data>
        <Data>/LM/W3SVC/1/ROOT/sf-five-1-129871787758435304</Data>
        <Data>Full</Data>
        <Data>/sf-five</Data>
        <Data>C:\inetpub\wwwroot\sf-five\</Data>
        <Data>VDI-W7-DEV-17</Data>
        <Data>
        </Data>
        <Data>8876</Data>
        <Data>w3wp.exe</Data>
        <Data>IIS APPPOOL\ASP.NET v4.0</Data>
        <Data>HttpException</Data>
        <Data>You are not authorized to access this page
       at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)
       at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
     
    </Data>
        <Data>/sf-five/secure/Action/Edit</Data>
        <Data>::1</Data>
        <Data>
        </Data>
        <Data>False</Data>
        <Data>
        </Data>
        <Data>IIS APPPOOL\ASP.NET v4.0</Data>
        <Data>6</Data>
        <Data>IIS APPPOOL\ASP.NET v4.0</Data>
        <Data>False</Data>
        <Data>   at Telerik.Sitefinity.Web.SitefinityRoute.CheckSecurity(HttpContextBase httpContext, PageSiteNode node)
       at Telerik.Sitefinity.Web.SitefinityRoute.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.RouteCollection.GetRouteData(HttpContextBase httpContext)
       at System.Web.Routing.UrlRoutingModule.PostResolveRequestCache(HttpContextBase context)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    </Data>
      </EventData>
    </Event>
  6. David
    David avatar
    11 posts
    Registered:
    20 Sep 2010
    Answered
  7. Bill
    Bill avatar
    26 posts
    Registered:
    18 Jul 2012
    19 Jul 2012
    Link to this post
    I think seeing your working example of security.config shows me something went wrong when I used the admin tools to edit the settings.  Looks promising so far.  I will update after some additional testing.

    Thanks for the example regardless..

    UPDATE:
    It looks like the security config issue and something I had wrong in the role implementation were most of my issues.  That means I have even more work to do, but at least I think I am on the right track.  We have wasted weeks trying to do this off the developer docs and I pretty much just did a POC version from scratch in about 6 hours with David's examples.

    This sort of detailed example is sorely needed in the Sitefinity 5 Docs.

    Thanks again David.
  8. zamd
    zamd avatar
    2 posts
    Registered:
    31 Oct 2012
    06 Feb 2013 in reply to Bill
    Link to this post
    I did a blog post today which might help you. I intend to blog about few advance scenarios as well in coming weeks. 

    http://zamd.net/2013/02/06/custom-sts-for-sitefinity-5-x/
8 posts, 1 answered