Strange behaviour when enabling site security
Essentials 3.10.1: A site that works perfectly fine unsecured will not load when site security is enabled. Security is enabled through Manager using a pre-existing role from the Global Geocortex Security Provider. Essentials gives me an initialization error, and in the system log I find the following message:
<Event Timestamp="2013-01-10T10:54:08.2368042+01:00" Level="WARN" Identity="Guest"><Message>Authorization failure: Geocortex.ApplicationServices.Security.Enforcement.AuthorizationException: The current user cannot access the desired resource.
..... ... </Message></Event>
So, what I do, after noticing 'Identity="Guest"' in the log message, I manually add the following inside the Site.xml Permissions element:
<Allow WellKnownRole="Guest">
<Authenticate />
</Allow>
With this in place, the site launches, and I can successfully log in using the credentials of a user having the above mentioned pre-existing role. Despite this, I still get the same "Authorization failure" message in the logfile.
I don't understand this. Why is this WellKnownRole needed, and if it really is needed, why doesn't Manager add this to the code when site security is enabled? And where does this identity "Guest" come from? I have no such user or role defined in the security provider, and I wonder why the system is trying to operate using this identity.
-Jostein
-
Hi Jostein , the WellKnownRole is needed in order for the “Guest” user to reach the authentication page (so you can see the login prompt: as soon as you launch the site, you haven’t provided credentials yet so the system uses “Guest”). However, that entry on the site.xml doesn’t mean that the “Guest” user is allowed to login, it’s just allowed to reach the login page. The entry is added by Manager to the site.xml when you enable security on your site. In order to check if there is something wrong with your site, you can create a brand new site, enable security, and see if the entry was added or not to the site.xml.
The entry on the log file means that an authentication failed for a user. On the access log file for the viewer you should see an entry indicating if the login for your user succeeded or failed for the user.
-Alejandro
0 -
The entry for the well known role "Guest" is not added automatically by the manager. I have to to this manually. Any idea why?
0 -
Hi Jostein, I’ve submitted a case in our bug tracker for this issue. Could you provide us more information about this? (like how many sites you have, OS version, other steps that you’ve tried). Also, have you made any modifications to the asset.config file?
- Alejandro
0 -
Alejandro, for the moment, we run eight Essentials sites, and use the Global Geocortex Security Provider.
OS is Win Server 2008 R2 Standard, SP1, and Essentials version is 3.10.1. I have never touched the Asset.config file. We are running behind a reverse proxy that is bypassed on local connections.
I'm afraid I don't have any more relevant information that I can think of. The entry for the well known role is simply not there after security is enabled, no matter how complex or simple the site configuration is. I have modified Web.config files in the REST and Manager directories, adding the <defaultProxy> element. Except this, the system is at its default configuration.
Jostein
0 -
I just upgraded to Essentials 3.12, and it has the same behaviour. No entry for the well known role
Jostein
0 -
I am experiencing the same issue on 3.12. Strangely, the well known role entry does get added if I create the site, but it is not added if my coworker creates the site. If we add the entry manually to his Site.xml, the site works fine. We are both part of the Essentials admin group (set up with the AdminRoleName parameter in IIS).
We are also running Windows Server 2008 R2 Standard, SP1. Geocortex Essentials version is 3.12, with Silverlight Viewer 1.8.
0 -
Thanks Matt for the information, I'll add that to our bugtracker case.
-Alejandro
0 -
Same behavior after upgrading to 3.14. Created a new site that worked fine. Once I enabled security I was unable to access the site until I added Guest to Site.xml.
0 -
Hi, has this issue been resolved?
One of my clients also gets messages in the Log File similar to the following:
<Event Timestamp="2013-01-10T10:54:08.2368042+01:00" Level="WARN" Identity="Guest"><Message>Authorization failure: Geocortex.ApplicationServices.Security.Enforcement.AuthorizationException: The current user cannot access the desired resource.
..... ... </Message></Event>The client is using Silverlight Viewer 1.8, uses Windows Authentication, the messages were also Identified as Guest, and what's really peculiar is that these messages can even pop up at really late times like 3am and 4am. Any clue to what's going on?
David
0 -
I have the same problem again (I guess) with 4.1.0. But in this version, the security system has changed, and my old workaround adding
<Allow WellKnownRole="Guest">
<Authenticate />
</Allow>to the xml does not work. I get the message "The current user cannot access the desired resource" when launching a site with permissions given to one of the roles from Geocortex Identity Server. To launch the site, I have to give permissions to "Anonymous Access - Guest", but then you don't reach no login page, and the site is no longer secured. Has anyone experienced this?
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
10 Kommentare