Vulnerability in EPiServer.Forms
I am migrating an EPiServer CMS 4.62web site to EPiServer CMS 5 R2.The migration tool completes successfully but users are not migrated.They do exist in the database but they are not visible in admin mode when searching for them. The accounts are not locked out.
Are the Sql membership and role providers configured for use (default provider or one of the providers in the multiplexer if it is default)?
Yes they are. See below.
<roleManager enabled="true" defaultProvider="SqlServerRoleProvider" cacheRolesInCookie="true">
<providers><clear /><add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="application" type="System.Web.Security.SqlRoleProvider, System.Web, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<membership defaultProvider="SqlServerMembershipProvider" userIsOnlineTimeWindow="10"><providers><clear />
<add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="application" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
Yes.There is a generated ".csv" file with the users and randomly generated passwords.These user accounts are added to the database (standard aspnet -tables).But still they are not visislbe when I am in admin-mode?The migration tool log (MigrationLog.log) reports no errors.[2009-08-11 09:10:20][Information] Migration Completed.
Maybe the best way is to recreate the users (either via sql-script) or via admin-mode.Thank you for your help.
You posted above that you are using SqlMembership and RoleProvider as default providers.
Since you obvoiusly have access to admin I assume that you are logged in with your local administrator windows account, i.e your're either running WindowsAuthentication og MultiPlexing?
Just to be absolutely sure - you are looking at the correct web.config file? This is the web.config inside the version 5 site you pointed to when starting the migration tool - not the web.config file from the website you converted.
Yes. The web.config file I am working with is the web.config file for the CMS 5web site.I am working in a locally setup vmware-environment and what I have done to getin to admin mode is not by logging in but instead commenting out the following linesin web.config for the CMS 5 web site.----------------------------------------------
<!-- This is done both for edit and admin modes I just comment out the lines below.No other users have access to the system.-->
<!-- <allow roles="WebEditors, WebAdmins, Administrators" />--><!--<deny users="*" />--><allow users="*" />
So I am not really logging in to the web site I am just bypassing the<deny users> thing here. But still I should be able to see the users I think.I have tried login with multiple accounts from the csv-file but none of them works. It just says "Login failed".Thank you for very much for your fast reply.
It seems I have to manully create new groups (roles) in admin mode.For example I had a group called "WebAdmins" on the old web site.I recreate this new group through admin mode. By using the following sql-query:update dbo.aspnet_UsersInRoles set RoleId='[new GUID for WebAdmins]' where RoleId='[old GUID for group WebAdmins]'All user accounts that I cannot see in admin-mode but do exist in the database getsthe new role (same purpose with the new role as the old one).After this It seems that the "Set Access Rights" page works better. Suddenly It knows which roles have access rights to which pages.
Do you have an idea to why this problem occurs?
Ok, your .csv file and the migration log indicates that the users have been migrated.But the SqlMembership Provider cannot find any users (even though you can see them in the database). Could you check to see that the providers are configured with the correct database (check connectionStringName vs connectionStrings).
Then try to create a new user, and see if you can locate the same user inside the database.