Friday, June 9, 2023

Sitecore Powershell Extensions - Elevated session state issues

 SPE - Elevated session state issues


Some time ago I faced a very weird issue on a local setup of Sitecore 10.2 which includes the wonderful Sitecore Powershell Extensions (SPE). I wanted to run a script and SPE requested elevated session state. As you probably know is you have been using SPE already this happens (quite often) and requires you to provide your password again.



The problem was that in my case my password didn't work. Although I was sure it was correct. I could use the same password to login in Sitecore. I had this issue only on my local environment, not on any other test or production environment.

So I started my investigation that actually surfaced a few things so it might be worth putting this in a blog post.

SPE identityserver config

First of all, make sure the necessary config file is present and not disabled: https://sitecore.stackexchange.com/a/28255/237. In "\App_Config\Include\Spe" rename Spe.IdentityServer.config.disabled to Spe.IdentityServer.config. And restart.


This didn't fix my issue though and then I bumped into some configuration that could disable the request for elevated session state. Normally I would never consider this, but the problem was only local so it might be worth doing - but my curious mind wanted to fix the issue instead of putting it aside. 

Disable elevation

If you do want to tamper with the elevation requirements, check the "App_Config\Include\Spe\Spe.config" file and find the following entries: 

<token name="Default" expiration="00:00:00" elevationAction="..."/>
<token name="Console" expiration="00:05:00" elevationAction="..."/>
<token name="ISE" expiration="00:05:00" elevationAction="..."/>
<token name="ItemSave" expiration="00:05:00" elevationAction="..."/>

To disable the requirement, put "Allow" in the elevationAction.

But as mentioned we continue to solve the issue properly. I can't remember where I actually got the idea to verify the SHA settings... but that was next on the list.

SHA - the hash algorithm

I hope you do know you can (and should/must) change the hashing algorithm on your site. This is explained in https://doc.sitecore.com/xp/en/developers/latest/platform-administration-and-architecture/change-the-hash-algorithm-for-password-encryption.html.  

To do so, you need to update two files. The web.config file in the website needs an updated hashAlgorithmType setting (eg to SHA512). And if you use Sitecore Identity, you must also change the algorithm on the Sitecore Identity server

And apparently that was my issue. On the local environment I had no automated publish towards the Identity Server and so the hash algorithm was not changed there. I still think it's pretty weird that I could login to Sitecore with those settings but well.. I did. It's only when using SPE that this turned into a problem. Settings the hash to the same value as in the web.config fixed it all.

Conclusion

If you run into issues with elevated session state login:
  • check the SPE config folder if you have all necessary configs enabled
  • check whether the hash algorithm on the site and on the Identity Server are the same
  • check if your user is not locked (after a few failed attempts that might happen ☺) 
And if needed, you can also disable the elevation although I would not recommend doing so.




Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)