I started a new project a few weeks ago and decided to use Sitecore 9.1 since it was already out.  This new project has the requirement of supporting logged in users.  The actual authentication system is outside of Sitecore.  Once a user is logged into the authentication system, they would be posted to Sitecore with a JWT token which we would use to establish their session on the Sitecore side.

So, my colleague, Veronika and I started to put together a PoC of how all of this would work.  I will be publishing a separate blog post where I will talk about the PoC itself.

The Problem

In this blog post, I want to highlight an issue that we’ve come across with Sitecore 9.1 which Sitecore Support has registered as a bug – reference ID 299093.

On the Sitecore side of things, we created a Controller Rendering that creates a virtual user.  Pretty basic code that you’ve probably seen on other blog posts:

// Create virtual user
var user = AuthenticationManager.BuildVirtualUser(@"extranet\johnsmith@test.com", true);

user.Roles.Add(Role.FromName(@"extranet\Logged In User"));

// Login the virtual user
AuthenticationManager.LoginVirtualUser(user);

When this code runs and we return the View, all of the following checks return positive results:

@Sitecore.Context.User.Name

@Sitecore.Context.User.IsAuthenticated

@Sitecore.Context.User.IsInRole("extranet\\Logged In User")

The problem is when we try to go to the “protected” page.  When trying to access the sample “protected” page that we setup in Sitecore, on which we’ve denied Read permission to the extranet\Anonymous user, we get the standard “access denied error”:

And, interestingly enough, Sitecore lists the User Name as extranet\Anonymous.

The Workaround

Sitecore is currently investigating this issue and once they provide me an update, I will update this post.  For now, the workaround is to simply disable the Identity Server functionality and revert to using the previous Forms Authentication functionality.

To implement this workaround, you need to:

1. enable the Sitecore.Owin.Authentication.Disabler.config config which you can find in your \App_Config\Include\Examples folder
2. update the main web.config to set the authentication mode to Forms like so:

<authentication mode="Forms">
    <forms name=".ASPXAUTH" cookieless="UseCookies" />
</authentication>

After making the changes above, make sure to clear all of your browser cookies.

With this workaround, you’ll be able to use Virtual Users again with Sitecore 9.1.  Obviously, not ideal, since this disables all of the Identity Server functionality that Sitecore rolled out with 9.1 but like I said, they are looking into it and I have full confidence that they will be able to find the root cause of this issue and fix it.