A few weeks ago, a user complaint that couldn’t sign-in to Sitecore via Azure AD and was getting the following error message
You do not have access to the system. If you think this is wrong, please contact the system administrator.
This error message leads us to believe the user is missing something on its account. So, let’s check a few hings
- User’s Azure AD Security Groups
- Check the existence of the Azure AD Security Groups claiming a Sitecore Role in ..\sitecore\Sitecore.Plugin.IdentityProvider.AzureAd\Config\Sitecore.Plugin.IdentityProvider.AzureAd.xml
- Verify the existence of the Sitecore Role in Sitecore
User’s Azure AD Security Groups
It is possible to verify the user’s membership through Azure Portal or via Powershell, using Azure AD module.
The following script is similar to the one used for troubleshooting the number of groups a user belong to, however, this time the idea is to list just the security groups that are used to claim a Sitecore role.
$FindUser = “username@domain.com”
(Get-AzureADUser -SearchString $FindUser | Get-AzureADUserMembership -All $true | ? {$_.ObjectType -ne “Role”} | % {Get-AzureADGroup -ObjectId $_.ObjectId | select DisplayName,ObjectType,MailEnabled,SecurityEnabled,ObjectId} | ? {$_.SecurityEnabled -eq $true} | where-object { $_.DisplayName -like ‘Sitecore*’ } | select DisplayName,ObjectID )
Every environment has its own particularities, therefore note that the script is going to show groups named as Sitecore because that’s the way I decided to distinct them from the other groups.
Also, note that the group also highlights the environment it is associated to, which means, you can verify if the environment the user wants to access is the DEV environment, otherwise, you already know wthat’s going on 🙂
However, if that’s not the case, let’s continue to the next step…
Sitecore.Plugin.IdentityProvider.AzureAd.xml
There are plenty options to access this file, and for the purpose of this verification, let’s use App Service Editor.
Well, assuming you have access to the Azure Portal, navigate your Sitecore Identity Server App Service
1. Navigate to your App Services, click on the Sitecore Identity App Service, and look for App Service Editor, then click Go
2. In the App Service Editor magnifier icon, provide the Azure AD ID, the file to search and hit enter. Then, if the group exists in the file, click at the search result
3. At your right, the file appears and highlighting your search
As you can see the Azure AD Security Group ID is there but what if it doesn’t? What would be the next step?
Well, in my case, the Azure AD Security Group shows the permission it intents to claim, and in that case it would be Author, so please back to step 2 and search for Author and consider to check the following
- Is there any <NewClaims> values pointing to Sitecore\Author or Author roles?
- Does the <SourceClaims> have the wrong Azure AD Security Group ID or none at all?
However, if that’s not the case, let’s continue to the next step…
Sitecore Role existence
Go to your Sitecore Content Management
1. Access the Sitecore Experience Platform, and on Access Management, click in Role Manager
2. In the Search field, type Author and hit enter
Once again, as you can see, my Sitecore has the sitecore\Author but what if it doesn’t? Well, in that case you have to create the role and test the access again.
Those steps are the initial ones to perform a troubleshoot when a user faces the “You do not have access to the system” error!
I hope you liked it, and I’ll see you on my next post!
Deixe um comentário