+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / AD integration causes redirect loop

AD integration causes redirect loop

9 posts, 1 answered
  1. Mark
    Mark avatar
    20 posts
    Registered:
    15 Oct 2012
    14 Feb 2013
    Link to this post

    I have followed the instructions for setting up SSO with Windows Integration exactly.

    But i cannot access the site using my windows credentials.  It ends up with a redirection loop to any page, except the adminstration/settings page which gives a: You do not have a permission to access "/<SiteName>/Sitefinity/Administration/Settings". 

    I have verified that the AD paths and credentials return groups and users appropriately.

    Any help would be great.

  2. Atanas Valchev
    Atanas Valchev avatar
    414 posts
    Registered:
    04 Jan 2016
    19 Feb 2013
    Link to this post
    Hi,

    Have you given the appropriate permissions to the AD user in the Sitefinity backend? When you configure the LDAP, you need to assign permissions to the returned Roles or Users, otherwise they will not have the ability to access the backend.

    Would it be possible to try the following: Disable Single Sign On and try logging manually to /Sitefinity and select LdapUsers as the provider, that way you will be able to see what permissions your user has. 

    All the best,
    Atanas Valchev
    the Telerik team
    Answered
  3. Jamie
    Jamie avatar
    25 posts
    Registered:
    07 Aug 2012
    04 Sep 2013
    Link to this post
    I am having the same issue. My LDAP user account has backend access. What else could the problem be? I noticed that my name claim includes the domain name, could that be it?
  4. Chris
    Chris avatar
    57 posts
    Registered:
    12 Nov 2008
    04 Sep 2013
    Link to this post
    I'm currently having a support ticket open regarding almost the same issue: Sitefinity 6.1SP1, SSO, Windows Authentication with LDAP.

    The difference is that I get the redirect loop only when I'm already logged in through a different browser, and only on frontend pages that require authentication. Something about the SelfLogout redirect seems to be broken here, but works fine when I go to /Sitefinity.

    Can you guys provide a bit more information (can you access frontend pages that require authentication? What happens when you go to /Sitefinity instead of /Sitefinity/Administration/Settings? What version of Sitefinity?)

    I'll keep you updated when I receive more information.

    Chris
  5. Jamie
    Jamie avatar
    25 posts
    Registered:
    07 Aug 2012
    04 Sep 2013 in reply to Chris
    Link to this post
    I'm using a fresh install of SF 6.1 and I don't have any front end pages. I can log in to the backend as an LDAP user with no problem, so I know that I have the proper roles. When I change the config file to point to the STS I get the redirect loop after logging in. This occurs regardless of whether I'm running SitefinityStsWebApp locally (IIS Express) or on a real server with SSL. It definitely appears to be a permission issue. 
  6. Chris
    Chris avatar
    57 posts
    Registered:
    12 Nov 2008
    04 Sep 2013 in reply to Jamie
    Link to this post
    Can you please post the STS-related configuration in the 3 config files?
    Here's what I have, and it seems to work fine for accessing the backend (with the STS running locally on IIS Express with SSL):
    SitefinityWebApp: web.config
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="https://localhost:44300/mysts.ashx" realm="http://localhost" requireHttps="false"/>
      <cookieHandler requireSsl="false"/>
    </federatedAuthentication>

    SitefinityWebApp: SecurityConfig.config
    <securityTokenIssuers>
        <add key="<key>" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
        <add key="<key>" encoding="Hexadecimal" membershipProvider="LdapUsers" realm="https://localhost:44300/mysts.ashx" />
    </securityTokenIssuers>
    <relyingParties>
        <add key="<key>" encoding="Hexadecimal" realm="http://localhost" />
    </relyingParties>

    SitefinityStsWebApp: web.config
    <appSettings>
        <add key="http://localhost:6625/" value="<key>"/>
    </appSettings>
  7. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    05 Sep 2013
    Link to this post
    Hi,

    Thank you Chris for sharing your configurations. All of the configurations are correct. I want to note that the key that you are using should be the same in all configuration files and lines. For instalce:

    SecurityConfig.config file
    <securityTokenIssuers>
        <add key="C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE" encoding="Hexadecimal" membershipProvider="Default" realm="http://localhost" />
        <add key="C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE" encoding="Hexadecimal" membershipProvider="LdapUsers" realm=" http://localhost:15000/mysts.ashx " />
      </securityTokenIssuers>
      <relyingParties>
        <add key="C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE" encoding="Hexadecimal" realm="http://localhost" />

    Web.config file:

    <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:15000/mysts.ashx" realm=" http://localhost" requireHttps="false" />

    Web.config file STS:

    <add key="http://yourwebsite.com" value="C3FD7A027B191121C0917F092981E0E5BA49AC85E8128244983FDE2D21CA32EE" />

    http://localhost:15000 is the url of the STS site and
    http://yourwebsite.com is the url of your web site


    Furthermore, you needs to make sure that IIS configurations for STS site are correct.

    • ·  In IIS Manager, select the STS site.
    • ·  In section IIS on the right, double-click Authentication.
    • ·  Choose one of the following authentication types and set it in IIS:
    1. If all computers that are used to authenticate in Sitefinity are part of the domain, enable Windows Authentication and disable all others.
    2. If there are computers that are not part of the domain and that are used for authentication, enable Basic Authentication and disable all others. You could turn https on for this site to protect the transferred credentials.

    Furthermore I would suggest you to review our Sitefinity documentation regarding configuration SSO:
    http://www.sitefinity.com/documentation/documentationarticles/setting-up-sso-with-windows-authentication


    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  8. Chris
    Chris avatar
    57 posts
    Registered:
    12 Nov 2008
    19 Sep 2013
    Link to this post
    Quick update on the issue I mentioned above: The STS redirect loop for pages that require authentication has been fixed with Sitefinity 6.1 SP2.
  9. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    23 Sep 2013
    Link to this post
    Hi,

    I am glad to hear that the problem has been fixed.

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
9 posts, 1 answered