SaaS CMS has officially launched! Learn more now.

ImageResizer + EPiServerBlobReader + DiskCache + Network share = redirect to util/login.aspx

Vote:
 

So, images are redirecting to /Util/login.aspx when using ImageResizer + EPiServerBlobReader + DiskCache + Network share.

For example
http://example.com/globalassets/global/images/someimage.jpg?width=90&height=110&mode=crop

redirects to
http://example.com/Util/login.aspx?ReturnUrl=%2fglobalassets%2fglobal%2fimages%2fsomeimage.jpg%3fwidth%3d90%26height%3d110%26mode%3dcrop&width=90&height=110&mode=crop

If we log in to EPiServer CMS then the image load correctly. Also, if we log in to another part of the website (a custom login form) instead of the CMS, the image also load correctly. Obviously we cannot ask all the visitors the log-in to see the images :-)

We have an EPiServer CMS 7.5 website (version 8.6.0). This website has MANY images. This website is also load-balanced 4x. Naturally we do not want to store each image 4 times. So we have a separate file-server for the images. We have configured the 'fileShare' blob-provider. 


    
        
    

In order to get this to work we have:

  • created an account on the web-servers and on the file-server with the same username/password
  • given full access permissions to this account on the file-server, on both system and share level
  • configured the Application Pool for the website on each web-server with this account

And voila, it works. We can now access the image directly (without it going through ImageResizer):

http://example.com/globalassets/global/images/someimage.jpg

So far so good. However, all these images need resizing using ImageResizer. Naturally we want to use caching (DiskCache plugin). And of course we want to cache these images on the file-server instead of on each web-server. We have created another share on the file-server with the same permissions as the blobs share, but now for ImageResizer's disk-cache.

\\FileServer\WebsiteData\ImageResizerCache

First we tried to directly specify this path directly in the diskcache plugin's configuration like so:


    
        
        
        
    
    

This does not work. ImageResizer will simply create subfolders in the root of the website. So we have configured IIS with a Virtual Directory pointing to this share on the file-server and updated the configuration to use this Virtual Directory, like so:


    
    

And it will do the redirect to /util/login.aspx as mentioned above. When looking at Sysinternal’s Process Monitor we can see the w3wp.exe process has access to the files from the network share and reads them correctly. However, when we are not logged in we see an extra event:

Process MonitorProcess Monitor

(url to image: https://cdn.pbrd.co/images/18qvtqiD.jpg)

For some reason the path is in UPPERCASE and the path is being accessed via IUSR (impersonation).

I replaced the nuget package with the plugin’s code (https://github.com/valdisiljuconoks/ImageResizer.Plugins.EPiServerBlobReader/). When debugging it goes through the EPiServerBlobReaderPlugin.GetFile function and returns the blob for image-resizer to use. However, directly after that the util/login.aspx file (and all it’s resources, css etc) also go through the same GetFile function. This is probably because somewhere the access is denied and the image request gets redirected to the episerver login page.

When specifying a local cache folder, the images do load (and we do not get the redirect). 

Any help would be very much appreciated.

 

#143677
Jan 28, 2016 18:01
Vote:
 

Grant read access rights to IUSR on the ImageResizer folder (file access rights)

#143694
Jan 28, 2016 23:36
Vote:
 

Thank you for your reply. It turns out that we had to edit the Anonymous Authentication Credentials and set it to Application pool identity.

Anonymous Authentication Credentials

It was set to IUSR.

Thank you Josef for this solution.

#143721
Jan 29, 2016 10:32
Vote:
 

I am wondering though if changing the Anonymous Authentication Credentials affects security? Of course we make sure that the user we run our site under has minimal access rights... Any thoughts?

#143722
Jan 29, 2016 10:46
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.