I had to set up an integration between Azure Active Directory and Sitecore 9.1, and I was able to accomplish it by following the steps on Derek Correia’s blog. Then, I had to map claims to User Profiles as well.
Once I had everything in place, I added users to the groups accordingly to the roles mapped in Sitecore and it was working fine.
A few days ago, one of the users complained about not being able to access Sitecore using its Azure AD account and, fair enough, the account was not part of the group. So, I’ve added the account to the group, and asked the user to check it again, and I received the following response
“I’m still seeing the same error as before You do not have access to the system. If you think this is wrong, please contact the system administrator.“
Weird, right? Sitecore should check the group, and verify that now the user is part a member, then allow its access but for some reason it was not happening.
While troubleshooting, I observed the user was added to the Users in Sitecore
And performed two additional steps
- Removed the user created after the first sign-in, and asked the user to Login again but no luck (please note that once again, the user was automatically added in Sitecore)
- Added the user to the Sitecore Authors group, and asked the user to sign-in again, and odd enoug the user was able to access Sitecore
Unfortunately, this didn’t address the problem because the main idea is to have the permissions mapped to Azure AD Groups and not at individuals, so I decided to open a Sitecore ticket.
Based on the information I provided, the Sitecore Support team then asked to perform some steps
- Delete Vinicius from the User Manager
- Make sure he is part of the Azure AD Group that allows access to Sitecore
- Restart Sitecore CMS and Sitecore Identity Server
- Have Vinicius try to log in again and let us know the results
After following the steps, Vinicius was able to log in without issues but I decided to perform additional steps
- Delete Vinicius from the User Manager
- Make sure he is NOT part of the Azure AD Group
- Have Vinicius try to log in again
And the user still have access to Sitecore, so I restarted Sitecore CMS and Sitecore Identity Server, and as expected Vinicius couldn’t sign-in anymore.
The workaround is keep restarting the Sitecore Identity Server every time you add or remove users from the Azure AD Group, however, isn’t acceptable for production environments.
After collecting this information, Sitecore Support team back with a hotfix
For your reference if you face the same issue Ticket #322237
Accordingly to Sitecore support response
Be aware that the hotfix was built specifically for Sitecore 9.1.0, and you should not install it on other Sitecore versions or in combination with other hotfixes, unless explicitly instructed by Sitecore Support.
Please follow the readme instructions inside the zip file archive carefully to install the hotfix (note that the fix is being applied to the Sitecore IdentityServer, and not your Sitecore CMS site).
You should replace all the files in the original locations at your Sitecore Identity Server, please find the content of this hotfix
- Website root folder\
- Sitecore.Plugin.IdentityServer.dll
- Sitecore.Plugin.IdentityServer.xml
- Website root\sitecore\Sitecore.Plugin.IdentityServer\Config
- identityServer.xml
- Website root\sitecore\Sitecore.Plugin.IdentityServer\
- Sitecore.Plugin.manifest
Then follow the steps
- Stop Sitecore Identity Server
- Copy the files to Sitecore Identity Server and overwrite existing files
- Start Sitecore Identity Server
Once you performed the steps above, I executed the following validation
- Delete Vinicius from the User Manager
- Make sure he is part of the Azure AD Group that allows access to Sitecore
- Have Vinicius try to log in again
IT WORKED!!!
No restart required after applying Sitecore hotfix
I hope you liked it, and I’ll see you on my next post!
Credits
Photo by Louis Hansel on Unsplash
Deixe um comentário