Security and load balancing

To ensure that Sitefinity CMS uses the same encryption key when running in load balancing, it is required that all web servers use the same machine key.

You must add a machineKey configuration in each instance’s web.config file.
For more information, see https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx .

To add your nodes as issuers and relying parties perform the following:

1. In the main menu, click Administration » Settings » Advanced.
2. In the tree view on the left, click Security » SecurityTokenIssuers » http://localhost.
3. Copy and save the content of fields Key, Encoding, and MembershipProvider.
4. In the tree view, click again SecurityTokenIssuers.
5. For each public address of the website, create a new security token issuer by performing the following:
   
   1. Click Create new button.
   2. In Realm input field, enter the domain concatenated with /Sitefinity/Authenticate/SWT.
      For example, http://smith.telerik.com/Sitefinity/Authenticate/SWT
   3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 3.
   4. Click Save changes.
      

      NOTE: If your site is accessible via www. You must also perform Step 5 for this binding.
      For example, http://www.smith.telerik.com/Sitefinity/Authenticate/SWT
      

      NOTE: If your site is accessible on https://, you must perform Step 5 for the https:// binding. You must also add an entry for https://localhost.

6. In the tree view, click RelyingParties » http://localhost.
7. Copy and save the content of fields Key, Encoding, and MembershipProvider.
8. In the tree view, click again RelyingParties.
9. For each instance participating in the load balancing mode create a new relying party by performing the following:
1. Click Create new button.
2. In Realm input field, enter the URL of the Sitefinity CMS instance.
   For example, http://webserver1.telerik.com
   

   You could also use the server IP address:
   http://192.168.0.1 

3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 7.
4. Click Save changes.
5. If you have configured your site to run using Single Sign-on, open the web.config file, under <microsoft.identityModel>, find wsFederation, and set its issuer to the address visible from the public internet. 
6. Save and close the web.config file.
10. For each public address of the website, create a new relying party by performing the following:
1. Click Create new button.
2. In Realm input field, enter the domain.
   For example, http://smith.telerik.com
3. In Key, Encoding, and MembershipProvider input fields, enter the values copied in Step 8.
4. Click Save changes.
   

   NOTE: If your site is accessible on https://, you must perform Step 10 for the https:// binding. You must also add an entry for https://localhost

11. Restart all instances.

If you have an SSL binding for your site, you must have the SSL certificate installed on each of the web server nodes and must have added the https:// bindings to the configurations listed in the procedure above.

1. Open the web.config file of each instance, participating in the load balancing configuration. 
2. Navigate to the <wsFederation> node in the file and set the requireHttps parameter to true.
   For example, <wsFederation passiveRedirectEnabled="true" 
   issuer="http://localhost" realm="http://localhost" requireHttps="true"/>

NOTE: Sitefinity CMS does not synchronize its configuration between the nodes participating in your Load Balanced setup. You must perform the above settings on all Sitefinity CMS instances of your load balanced setup. If you are interested in possible approaches for handling configuration synchronization, see Administration: Upload and physical location of the application.