[v11.10.5] Roles do not appear to be mapping on new database copy

Vote:
 

Hi,

I've recently done a copy of my database (which works fine) and yet, using the same codebase with the new database, I'm intermittently unable to access the CMS. The login itself seems to work ok, as it logs me in as a user of the site, I just don't seem to get Admin/CmsAdmin priveledges for some reason.

I've also tested this on my staging server where it doesn't seem to ever work, even using the original database. So, it seems like that may be a separate, though possibly-related, environmental issue.

Has anyone ever run into anything similar? I'm starting to run out of ideas for things to try...

#198319
Oct 25, 2018 11:02
Vote:
 

Hi,

You say you have run out of ideas to try, so what have you tried already?

What kind of authentication have you set up? How does you configuration look like, e.g. to what groups and/or users is edit mode locked down to and how does your virtual roles configuration look like?

#198326
Edited, Oct 25, 2018 14:49
Vote:
 

Hi Johan,

Virtual roles config is as below -

<virtualRoles replacePrincipal="true">
  <providers>
    <add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
    <add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
    <add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
    <add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
    <add name="PackagingAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
    <add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators, MEDIASQUARE\Dev" mode="Any" />
    <add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />
    <add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
    <add name="CommerceAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
    <add name="EPiBetaUsers" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
  </providers>
</virtualRoles>

With the providers as follows -

<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
  <providers>
    <clear />
    <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer.Framework.AspNet" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" provider3="CustomRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider" providerMap3="CustomMembershipProvider" />
    <add name="WindowsRoleProvider" applicationName="CMS" type="EPiServer.Security.WindowsRoleProvider, EPiServer.Cms.AspNet" />
    <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="CMS" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <!-- ECF Start -->
    <add connectionStringName="EcfSqlConnection" applicationName="Customers" name="CustomRoleProvider" type="Mediachase.Commerce.Customers.Profile.Providers.CustomerSqlRoleProvider, Mediachase.Commerce" />
    <!-- ECF End -->
  </providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
  <providers>
    <clear />
    <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer.Framework.AspNet" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" provider3="CustomMembershipProvider" />
    <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer.Cms.AspNet" deletePrefix="BUILTIN\" searchByEmail="true" />
    <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="CMS" requiresUniqueEmail="true" enablePasswordReset="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="1000" minRequiredPasswordLength="8" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="1" passwordStrengthRegularExpression="" />
    <!-- ECF Start -->
    <add connectionStringName="EcfSqlConnection" applicationName="Customers" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" passwordStrengthRegularExpression="" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" name="CustomEraMembershipProvider" type="Mediachase.Commerce.Customers.Profile.Providers.CustomerSqlMembershipProvider, Mediachase.Commerce" />
    <!-- ECF End -->
  </providers>
</membership>

The things I've tried so far have been to ensure the site definitions are correct, make sure that Windows user accounts are in the groups that are mapped in config, testing other providers (SQL and Custom providers both work properly), checking episerver and windows logs for errors - to no avail so far and then generally a lot of trial and error with the config.

Originally I thought this was environmental as I experienced it on the test server first and with 100% replication but the fact that it is intermittently replicable locally has really threw me off. I keep going between database issue and environment issue but I'm not particularly convinced that it's definitely either of them.

I think possibly the local one starts working after I switch back to the working database, then again to the problematic one without clearing cookies - it stays working for a while though, so it's hard to test this theory due to the amount of other variables introduced into the mix by my investigations...

#198327
Oct 25, 2018 15:33
Vote:
 

Somewhere in web.config you should have something like this:

	<location path="episerver">
		<system.web>
			<authorization>
				<allow roles="CmsEditors, CmsAdmins, Administrators" />
				<deny users="*" />
			</authorization>
		</system.web>
	</location>

That's how edit mode is locked down (you probably have a location for episerver/cms/admin as well), if episerver is configured to be accessed on /episerver/cms/.

If you have CmsEditors configured like above, your user need to be a member of that virual role. Maybe you have WebEditors instead, then the user need to be member of that group. I like to use virtual roles for this kind of configuration. Because then you can "configure and forget"... and just update the virtual role instead if/when new groups need access to Episerver.

Given the configuration you posted your user must be member of WebEditors to be member of CmsEditors. Is your user member of WebEditors?

WebEditors is usually a local group created in Episerver.

I can see that you have one Windows group configured for the virtual role CmsAdmins, but does CmsAdmins have access to the location /episerver/?

#198328
Edited, Oct 25, 2018 15:44
Vote:
 

Hey James

Really stupid question, you mention database (singular). The config you have pasted in looks like you are running Commerce too. I assume you copied and restored the CMS and Commerce DBs?

Also you are using a mutliplexing provider where Windows authentication is configured and you have the CmsAdmins role mapped to MEDIASQUARE\Dev. So the question really is are you logging in with Windows or local SQL authentication? If Windows are you in the MEDIASQUARE\Dev group?

David

#198329
Oct 25, 2018 15:57
Vote:
 

This is my location config:

<location path="episerver">
    <system.web>
      <httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
      <pages enableEventValidation="true" enableViewState="true" enableViewStateMac="true">
        <controls>
          <add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer.Cms.AspNet" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
        </controls>
      </pages>
      <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
      <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
    <system.webServer>
      <handlers>
        <clear />
        <!-- This section is copied from applicationhost.config -->
        <add name="AssemblyResourceLoader-Integrated-4.0" path="WebResource.axd" verb="GET,DEBUG" type="System.Web.Handlers.AssemblyResourceLoader" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="PageHandlerFactory-Integrated-4.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG" type="System.Web.UI.PageHandlerFactory" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="SimpleHandlerFactory-Integrated-4.0" path="*.ashx" verb="GET,HEAD,POST,DEBUG" type="System.Web.UI.SimpleHandlerFactory" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="WebServiceHandlerFactory-Integrated-4.0" path="*.asmx" verb="GET,HEAD,POST,DEBUG" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="svc-Integrated-4.0" path="*.svc" verb="*" type="System.ServiceModel.Activation.ServiceHttpHandlerFactory, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode,runtimeVersionv4.0" />
        <add name="wildcard" path="*" verb="*" type="EPiServer.Web.StaticFileHandler, EPiServer.Framework.AspNet" />
      </handlers>
    </system.webServer>
  </location>
  <location path="episerver/CMS/admin">
    <system.web>
      <authorization>
        <allow roles="WebAdmins, Administrators" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Shouldn't I be getting in through being part of the 'Administrators' group?

Doesn't look like CmsAdmins has access but I've just amended the location config to give it access but to no avail.

These are the virtual roles that I believe should give me access through my domain account:

<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators, MEDIASQUARE\Dev" mode="Any" />

Is this not the case? Administrators has access to every location too.

#198331
Oct 25, 2018 16:13
Vote:
 
#198332
Edited, Oct 25, 2018 16:17
Vote:
 

Hi David,

Yep, we're running commerce too and both databases have been restored. There is a third but that's for an isolated codebase that is the other end of a message queue.

I'm logging in with my Windows account and I am a member of that \Dev group, amongst others, having checked in with PowerShell's 'whoami /groups' command/

Cheers,

James

#198333
Oct 25, 2018 16:20
Vote:
 

Change

<allow roles="WebEditors, WebAdmins, Administrators" />

To

<allow roles="CmsEditors, CmsAdmins, Administrators" />

And

<allow roles="WebAdmins, Administrators" />

To

<allow roles="CmsAdmins, Administrators" />

That should make your life a bit easier to start with. Then you only need to configure virtual roles in the future. So make sure the virtual roles maps to correct roles, both from the database and Windows/AD.

Then the next step would be to confirm that you actually are member of any of the configured virtual roles. One way would be to drop an aspx in the web root that lists all the roles for the current user.

#198335
Edited, Oct 25, 2018 16:27
Vote:
 

Oops noticed a typo in CmsEditos, should of course be CmsEditors. Regarding the virtual role Administrators, yes that should work, given that you actually are administrator of your computer/server.

#198336
Edited, Oct 25, 2018 16:32
Vote:
 

Thanks, Johan. Having output in the page instead of on the machine, I can see that somebody had thoughtfully changed the group name...

Thanks for your help though, I think I'd gotten inside my own head a little on this one - it's been a long week... :)

#198339
Oct 25, 2018 16:42
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.