Security and load balancing

Shared encryption

To ensure that Sitefinity CMS uses the same encryption key when running in load balancing, it is required that all web servers use the same machine key.

You must add a machineKey configuration in each instance’s web.config file.

NOTE: Add the machine key inside section <configuration>/<system.web>. This is the <system.web> section that is a direct child of the <configuration> section.

For more information, see Microsoft's machineKey Element (ASP.NET Settings Schema) .

Sitefinity CMS Claims authentication in load balanced scenario

NOTE: The following section applies to SWT authentication scenarios and does not apply for OpenID authentication.

For Sitefinty’s claims-based authentication mode to operate correctly under load balancing, you must configure each node participating in the LB configuration as an issuer and as a relying party. For more information about authentication modes, see Authentication and Single Sign-On (SSO)

To add your nodes as issuers and relying parties perform the following:

  1. In the main menu, click Administration » Settings » Advanced.
  2. In the tree view on the left, click Security » SecurityTokenIssuers » http://localhost.
  3. Copy and save the content of fields Key, Encoding, and MembershipProvider.
  4. In the tree view, click again SecurityTokenIssuers.
  5. For each public address of the website, create a new security token issuer by performing the following:
    1. Click Create new button.
    2. In Realm input field, enter the domain concatenated with /Sitefinity/Authenticate/SWT.
      For example, http://smith.telerik.com/Sitefinity/Authenticate/SWT
    3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 3.
    4. Click Save changes.

      NOTE: If your site is accessible via www. You must also perform Step 5 for this binding.
      For example, http://www.smith.telerik.com/Sitefinity/Authenticate/SWT

      NOTE: If your site is accessible on https://, you must perform Step 5 for the https:// binding. You must also add an entry for https://localhost.

  6. In the tree view, click RelyingParties » http://localhost.
  7. Copy and save the content of fields Key, Encoding, and MembershipProvider.
  8. In the tree view, click again RelyingParties.
  9. For each instance participating in the load balancing mode create a new relying party by performing the following:
    1. Click Create new button.
    2. In Realm input field, enter the URL of the Sitefinity CMS instance.
      For example, http://webserver1.telerik.com

      You could also use the server IP address:
      http://192.168.0.1 

    3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 7.
    4. Click Save changes.
    5. If you have configured your site to run using Single Sign-on, open the web.config file, under <system.identityModel.services>, find wsFederation, and set its issuer to the address visible from the public internet. 
    6. Save and close the web.config file.
  10. For each public address of the website, create a new relying party by performing the following:
    1. Click Create new button.
    2. In Realm input field, enter the domain.
      For example, http://smith.telerik.com
    3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 8.
    4. Click Save changes.

      NOTE: If your site is accessible on https://, you must perform Step 10 for the https:// binding. You must also add an entry for https://localhost

  11. Restart all instances.

SSL and load balanced scenario

If you have an SSL binding for your site, you must have the SSL certificate installed on each of the web server nodes and must have added the https:// bindings to the configurations listed in the procedure above.

If you want to have Sitefinity’s Login page to be served under https://, perform the following:
  1. Open the web.config file of each instance participating in the load balancing configuration. 
  2. Navigate to the <wsFederation> node in the file and set the requireHttps parameter to true.
    For example, <wsFederation passiveRedirectEnabled="true" 
    issuer="http://localhost" realm="http://localhost" requireHttps="true"/>

NOTE: Sitefinity CMS does not synchronize its configuration between the nodes participating in your Load Balanced setup. You must perform the above settings on all Sitefinity CMS instances of your load balanced setup. If you are interested in possible approaches for handling configuration synchronization, see Administration: Upload and physical location of the application.

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?