Troubleshooting guide to You do not have access to the system in Sitecore Identity Server

Avatar de Vinicius

A few weeks ago, a user complaint that couldn’t sign-in to Sitecore via Azure AD and was getting the following error message

You do not have access to the system. If you think this is wrong, please contact the system administrator.

Sitecore Login You do not have access Sitecore Blog Vinicius Deschamps

This error message leads us to believe the user is missing something on its account. So, let’s check a few hings

  1. User’s Azure AD Security Groups
  2. Check the existence of the Azure AD Security Groups claiming a Sitecore Role in ..\sitecore\Sitecore.Plugin.IdentityProvider.AzureAd\Config\Sitecore.Plugin.IdentityProvider.AzureAd.xml
  3. Verify the existence of the Sitecore Role in Sitecore

User’s Azure AD Security Groups

It is possible to verify the user’s membership through Azure Portal or via Powershell, using Azure AD module.

The following script is similar to the one used for troubleshooting the number of groups a user belong to, however, this time the idea is to list just the security groups that are used to claim a Sitecore role.

$FindUser = “[email protected]

(Get-AzureADUser -SearchString $FindUser | Get-AzureADUserMembership -All $true | ? {$_.ObjectType -ne “Role”} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ? {$_.SecurityEnabled -eq $true} | where-object { $_.DisplayName -like ‘Sitecore*’ } | select DisplayName,ObjectID )

Get AzureADUser Security Group Blog Vinicius Deschamps

Every environment has its own particularities, therefore note that the script is going to show groups named as Sitecore because that’s the way I decided to distinct them from the other groups.

Also, note that the group also highlights the environment it is associated to, which means, you can verify if the environment the user wants to access is the DEV environment, otherwise, you already know wthat’s going on 🙂

However, if that’s not the case, let’s continue to the next step…

Sitecore.Plugin.IdentityProvider.AzureAd.xml

There are plenty options to access this file, and for the purpose of this verification, let’s use App Service Editor.

Well, assuming you have access to the Azure Portal, navigate your Sitecore Identity Server App Service

1. Navigate to your App Services, click on the Sitecore Identity App Service, and look for App Service Editor, then click Go

Azure App Services App Editor Blog Vinicius Deschamps

2. In the App Service Editor magnifier icon, provide the Azure AD ID, the file to search and hit enter. Then, if the group exists in the file, click at the search result

Azure App Service Editor Navigate Blog Vinicius Deschamps

3. At your right, the file appears and highlighting your search

Azure App Service Editor Sitecore Plugin Identity Azure AD Config Blog Vinicius Deschamps

As you can see the Azure AD Security Group ID is there but what if it doesn’t? What would be the next step?

Well, in my case, the Azure AD Security Group shows the permission it intents to claim, and in that case it would be Author, so please back to step 2 and search for Author and consider to check the following

  • Is there any <NewClaims> values pointing to Sitecore\Author or Author roles?
  • Does the <SourceClaims> have the wrong Azure AD Security Group ID or none at all?

However, if that’s not the case, let’s continue to the next step…

Sitecore Role existence

Go to your Sitecore Content Management

1. Access the Sitecore Experience Platform, and on Access Management, click in Role Manager

Sitecore Experience Platform Role Manager Blog Vinicius Deschamps

2. In the Search field, type Author and hit enter

Sitecore Role Manager List Blog Vinicius Deschamps

Once again, as you can see, my Sitecore has the sitecore\Author but what if it doesn’t? Well, in that case you have to create the role and test the access again.

Those steps are the initial ones to perform a troubleshoot when a user faces the “You do not have access to the system” error!

I hope you liked it, and I’ll see you on my next post!

Photo by Tekton on Unsplash

Tagged in :

Avatar de Vinicius

3 respostas para “Troubleshooting guide to You do not have access to the system in Sitecore Identity Server”

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *