Hello!

After updating Episerver packages to latest (from 11.14.2 to 11.20.7) we got access problems to the CMS (Edit mode). 

1. I navigate to my site and log in to the CMS with /episerver.
2. I land on the dashboard that is working is usual.
3. I navigate to the CMS and land on the Edit page.
4. A pop up comes up telling me I have been loged out and that I need to log in again.
5. I press on the "Log in" button on the pop up and the page refreshes.
6. The same pop up appears.

I also noticed that an error pops up in the console (in browser developer tools):

SyntaxError: Unexpected token '<'
    at Object.dojo.fromJson (dojo.js:15)
    at Object.json (dojo.js:15)
    at _497 (dojo.js:15)
    at _2cd (dojo.js:15)
    at _2cb (dojo.js:15)
    at dojo.Deferred.resolve.callback (dojo.js:15)
    at dojo.js:15
    at _2f2 (dojo.js:15)
    at _2ec (dojo.js:15)
    at _2f1.resolve (dojo.js:15)

It is worth mentioning that I had access to the Admin panel and other pages in our CMS and they all worked as usual. But as soon as I went into "Edit" mode I got the pop up.

After much searching I found out the problem seemed to be based on the configuration of Virual roles in my Web.config.
Our site uses Forms authentication with WindowsMembershipProvider. Our customer has an AD with roles on each user depending on the level of access they should have in our systems.

The virtual roles I had defined:

<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />

I noticed that the virutal roles CmsAdmins and CmsEditors didn't have connections to the AD-groups the users actually have.
I also do not where the WebAdmins and WebEditors non virtual roles come from since they are not defined anywhere. A guess is that they are old roles that were left in the web.config file when the project started it's development.

I then added our AD groups to the bellow virtual roles:

<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators, DOMAIN\admins" mode="Any" />
<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors, DOMAIN\editors" mode="Any" />

Once I added the above DOMAIN\ roles the CMS started working normally again.

I am not sure what caused my Edit-tab's authentication to stop working after the update but I have some suspicions. 👮

1. Our customers organization changed the users access level on our own machines. Previously we were local admins. Now we need to use some kind of admin by request service to get temporary local admin rights. This happended at arround June month this year. I guess that should somehow affect the first row of virtual roles: Administrators.
2. After updating our application Episerver packages the problem appeared. I seached in the release notes of all updates since version 11.14.2 but could not find any changes on the roles-system of Optimizely/Episerver CMS. Because the problem started after the update I still think it is connected somehow with the update.

Even if I found a solution to the problem it would be nice to understand the true cause of the problem to be sure my fix is a real fix 😁.
At this point I guess that the problem can be a result of both above suspicions combined.
I hope some other Episerver soul out there have had the same problem or maybe can see something I am missing in the bigger picture.
 
Thank you in advance! 🙌