Try our conversational search powered by Generative AI!

AI OnAI Off

Security Exception (Index Site Content)

Mathias Ottosson
Mathias Ottosson
Vote:
 

While trying to access the "Index Site Content" - /EPiServer/EPiServer.Search.Cms/IndexContent.aspx (in cms 11)
Im met with a Security Exception :

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. 

Exception Details: System.Security.SecurityException: Request for principal permission failed.

[SecurityException: Request for principal permission failed.]
   System.Security.Permissions.PrincipalPermission.ThrowSecurityException() +257
   System.Security.Permissions.PrincipalPermission.Demand() +496
   System.Security.PermissionSet.DemandNonCAS() +146
   EPiServer.UI.Admin.IndexContent..ctor() +35
   ASP.episerver_episerver_search_cms_indexcontent_aspx..ctor() +58
   __ASP.FastObjectFactory_app_web_gmuadrnl.Create_ASP_episerver_episerver_search_cms_indexcontent_aspx() +63
   System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath(VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp) +132
   System.Web.UI.PageHandlerFactory.GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath) +44
   System.Web.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +377
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +134



The problem is that it works fine on my local machine, and this only happens on the production enviroment. I cant seem to figure out whats wrong. Accessing other tools such as export, import
Manage Content, Change log etc all works. I noticed this issue when it seemed like the search had stopped working after the update from cms 10 -> 11.

#189002
Edited, Mar 08, 2018 13:07
Mathias Ottosson
Mathias Ottosson
Vote:
 

I forgot to mention that i have already tried to add : <trust level="Full" /> to the web.config.

#189003
Mar 08, 2018 13:09
Erik Norberg
Erik Norberg
Vote:
 

Could this be relevant?

https://world.episerver.com/documentation/Release-Notes/ReleaseNote/?releaseNoteId=CMS-8106

#189006
Mar 08, 2018 13:50
Mathias Ottosson
Mathias Ottosson
Vote:
 

I just read through that post and i cant seem to find anything that would point me to what the cause of this could be. Like i said, it only happends on the production environment, i have 0 issues when accessing it on a local machine (dev environment). Did i miss anything or what were you thinking of exactly :) ?

#189007
Mar 08, 2018 13:55
Erik Norberg
Erik Norberg
Vote:
 

I was thinking if your production web.config has been updated with the changes:

Configuration sections EPiServerFrameworkSection, StaticFileSection, EPiServerDataStoreSection and SearchSection have been moved to assembly EPiServer.Framework.AspNet

That is my first thought is if it can even find the configuration at all. :)

#189008
Mar 08, 2018 14:02
Mathias Ottosson
Mathias Ottosson
Vote:
 

I doubt that is the issue, since we copied the local config and just made changes to connection strings etc to reflect the production db and url. After a quick compare it seems they are as identical as they can get, so i assume the issue lies elsewhere :(

#189009
Mar 08, 2018 14:08
Erik Norberg
Erik Norberg
Vote:
 

Ah, i think i misunderstood the OP.

You aren't having a security issue with the actual search, but rather with accessing the admin page for triggering a full index?

I haven't made the transition to 11 yet. embarassed

If you haven't done it yet i would suggest you go through the function permissions to see if they added anything there:

CMS->Admin->Config->Security->Permissions for Functions

That is something that wouldn't have been migrated with the config file.

#189011
Mar 08, 2018 14:21
Mathias Ottosson
Mathias Ottosson
Vote:
 

Exactly, im trying to access the page that allows me to call a full reindex. 

Humm i checked it out but does not seem to have anything to do with it, since we never even bothered to edit anything there in previous versions. Hopefully you have less trouble with ur update :) 

#189013
Edited, Mar 08, 2018 14:35
Erik Norberg
Erik Norberg
Vote:
 

I won't notice if i get the same issue as you have anyway, we have a custom job to do a full index that includes commerce content. :D

#189016
Mar 08, 2018 14:44
Eric Petersson
Eric Petersson
Vote:
 

I am also experiencing this but also on my local development environement.

Have tried to replace the machine.config and web.config with full trust for the Episerver local site but doesn't seem to be working...

#192024
May 03, 2018 16:24
Eric Petersson
Eric Petersson
Vote:
 

I am also experiencing this but also on my local development environement.

Have tried to replace the machine.config and web.config with full trust for the Episerver local site but doesn't seem to be working...

#192025
May 03, 2018 16:24
Vote:
 

A couple of things to try out:

1. Turn of firewall to see if it fixes the issue.

2. Compare the application pool settings between local and production.

3. Make sure you have the following in your web.config

<authentication mode="None" />
#192041
May 04, 2018 0:05
Johan Björnfot
Johan Björnfot
Vote:
 

One difference is that IndexContent.aspx is delivered from disk through a VPP (from folder /modules/_protected/EPiServer.Search.CMS) while the other pages in admin mode you mention are delivered from a ZIP package (from folder /modules/_protected/CMS/CMS.zip) .Not that I know that it can be a problem,but it is a difference at least...

Can you check that the account running the web process has access rights (file access on disk) for the file IndexContent.aspx (compared to e.g. web.config)?

#192066
May 04, 2018 15:55
Eric Petersson
Eric Petersson
Vote:
 

In our case it turned out that we needed to set the virtual roles mapped to our specific admin group roles for our site implementation. 

Since Epi was checking for the principalrole of Administrators.

#192067
May 04, 2018 16:03
Jonas Lindau
Jonas Lindau
Vote:
 

Eric, can you tell me exactly how you did this? I also tries to get this working by setting the virtual role without success...

/Jonas

#200876
Jan 30, 2019 8:03
William Hemmingsson
William Hemmingsson
Vote:
 

Jonas, we had the same problem. I read through this thread and found that changing how the Administrators role work solved the problem. Since we are using Azure AD authentication (and no multiplexing) the Windows role Administrators in not really used anymore. But, it seems that the IndexContent.aspx page requires the user to be in this group. 

I removed the follwoing row in web.config (under virtualRoles/providers)

<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />

And added this row instead

<add name="Administrators" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, GrpAppAdmOffice365E1" mode="Any" />

where "GrpAppAdmOffice365E1" is the admin role provided by Azure AD and WebAdmins is the standard EPiServer role. 

Note that we now no longer can login as an adminsitrator using Windows Authentication, but since we are only using Azure AD its not an issue for us.

#202103
Edited, Mar 14, 2019 11:10
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.