bug | Vinicius Deschamps

I had to set up an integration between Azure Active Directory and Sitecore 9.1, and I was able to accomplish it by following the steps on Derek Correia’s blog. Then, I had to map claims to User Profiles as well.

Once I had everything in place, I added users to the groups accordingly to the roles mapped in Sitecore and it was working fine.

A few days ago, one of the users complained about not being able to access Sitecore using its Azure AD account and, fair enough, the account was not part of the group. So, I’ve added the account to the group, and asked the user to check it again, and I received the following response

“I’m still seeing the same error as before You do not have access to the system. If you think this is wrong, please contact the system administrator.“

Weird, right? Sitecore should check the group, and verify that now the user is part a member, then allow its access but for some reason it was not happening.

While troubleshooting, I observed the user was added to the Users in Sitecore

And performed two additional steps

Removed the user created after the first sign-in, and asked the user to Login again but no luck (please note that once again, the user was automatically added in Sitecore)
Added the user to the Sitecore Authors group, and asked the user to sign-in again, and odd enoug the user was able to access Sitecore

Unfortunately, this didn’t address the problem because the main idea is to have the permissions mapped to Azure AD Groups and not at individuals, so I decided to open a Sitecore ticket.

Based on the information I provided, the Sitecore Support team then asked to perform some steps

Delete Vinicius from the User Manager
Make sure he is part of the Azure AD Group that allows access to Sitecore
Restart Sitecore CMS and Sitecore Identity Server
Have Vinicius try to log in again and let us know the results

After following the steps, Vinicius was able to log in without issues but I decided to perform additional steps

Delete Vinicius from the User Manager
Make sure he is NOT part of the Azure AD Group
Have Vinicius try to log in again

And the user still have access to Sitecore, so I restarted Sitecore CMS and Sitecore Identity Server, and as expected Vinicius couldn’t sign-in anymore.

The workaround is keep restarting the Sitecore Identity Server every time you add or remove users from the Azure AD Group, however, isn’t acceptable for production environments.

After collecting this information, Sitecore Support team back with a hotfix

For your reference if you face the same issue Ticket #322237

Accordingly to Sitecore support response

Be aware that the hotfix was built specifically for Sitecore 9.1.0, and you should not install it on other Sitecore versions or in combination with other hotfixes, unless explicitly instructed by Sitecore Support.
Please follow the readme instructions inside the zip file archive carefully to install the hotfix (note that the fix is being applied to the Sitecore IdentityServer, and not your Sitecore CMS site).

You should replace all the files in the original locations at your Sitecore Identity Server, please find the content of this hotfix

Website root folder\
- Sitecore.Plugin.IdentityServer.dll
- Sitecore.Plugin.IdentityServer.xml
Website root\sitecore\Sitecore.Plugin.IdentityServer\Config
- identityServer.xml
Website root\sitecore\Sitecore.Plugin.IdentityServer\
- Sitecore.Plugin.manifest

Then follow the steps

Stop Sitecore Identity Server
Copy the files to Sitecore Identity Server and overwrite existing files
Start Sitecore Identity Server

Once you performed the steps above, I executed the following validation

Delete Vinicius from the User Manager
Make sure he is part of the Azure AD Group that allows access to Sitecore
Have Vinicius try to log in again

IT WORKED!!!

No restart required after applying Sitecore hotfix

I hope you liked it, and I’ll see you on my next post!

Credits

Photo by Louis Hansel on Unsplash

A couple weeks ago I’ve asked a question in Sitecore Stackexchange explaining that the Sitecore 9.1 PaaS our team has provisioned in Azure was not providing data to the Application Insights.

I went through the existing post Accessing log files in application insitghts for Sitecore 9 in Azure app service which allowed me to execute some sort troubleshooting, and in summary here are the steps I reproduce

1.Check appinsights.instrumentationkey in ConnectionStrings.config

The idea is to verify if is not going to a different Application Insights or a typo occurred somewhere. Please check the Instrumentation Key from Azure Portal and at the ConnectionStrings.config

2.Check the Daily Cap

3.Check showconfig.aspx

4.Enable Live Metrics Stream

5.Enable Application map

On all roles, in the wwwroot/ApplicationInsights.config, uncomment the line containing the DependencyTrackingTelemetryModule. A caution though – it nearly doubles your ApplicationInsights data usage.

6.Querying Application Insights

– Go to the Application Insights resource and click the Analytics button on the Overview tab.
– The query builder will open. Paste in the following query:

traces
| project timestamp, message, severityLevel, customDimensions.Role, customDimensions.InstanceName
| order by timestamp desc

Select the time range and click Run

Another thing is that the Search shows results from Sitecore

Michael Baranov suggested the following

It’s a bug in 9.1.

To fix this you need:

Add telemetry module to ApplicationInsights.config

<Add Type="Microsoft.ApplicationInsights.Web.AspNetDiagnosticTelemetryModule, Microsoft.AI.Web"/>

Add module to web.config under system.webserver

<add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" 
        preCondition="integratedMode,managedHandler" />

And I did what he said but an Yellow Screen of Death showed up “Could not load file or assembly ‘Microsoft.AspNet.TelemetryCorrelation’ or one of its dependencies. The system cannot find the file specified” and I never heard back from him.

Frank Rosario, a colleague of mine here in Valtech, opened a ticket with Sitecore and they sent a hotfix for us.

For your reference if you face the same issue Ticket #527731

IMPORTANT: The following approach DOES NOT work without the hotfix provided by Sitecore, don’t give a shot by simply changing the files specified in the step “after the hotfix has been installed”

Accordingly to the Sitecore response

Be aware that the hotfix was built specifically for Sitecore XP 9.1 Initial Release, and you should not install it on other Sitecore versions or in combination with other hotfixes, unless explicitly instructed by Sitecore Support.

Note that you need to extract ZIP file contents to locate installation instructions and related files inside it.

Unless stated differently in the installation instructions, the hotfix should be installed on CM instance and then synced with other instances using your regular development practices

The hotfix should be install as a package, and will replace the following DLL libraries:

• /bin/Microsoft.AI.Web.dll

• /bin/Microsoft.ApplicationInsights.dll

• /bin/Microsoft.ApplicationInsights.TraceListener.dll

• /bin/Microsoft.AspNet.TelemetryCorrelation.dll

• /bin/System.Diagnostics.DiagnosticSource.dll

After the hotfix has been installed these steps must be taken

1.Edit ApplicationInsights.config. Under the ApplicationInsights\TelemetryModules paste the following line at the bottom of the section

<Add Type="Microsoft.ApplicationInsights.Web.AspNetDiagnosticTelemetryModule, Microsoft.AI.Web" />

2.Edit web.config. Under the configuration/system.webServer/modules after <remove name="ApplicationInsightsWebTracking"/>, insert the following string:

<add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" preCondition="integratedMode,managedHandler"/>