ApplicationPoolIdentity is the best practice to use in IIS7. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net’s “Application Pool Identities”.
Here is a quick guide how to add rights to correct AppPool -profile on Windows Explorer
Open Windows Explorer
Select Sitecore installation directory.
Right click the file and select “Properties”
Select the “Security” tab
Click the “Edit” and then “Add” button
Click the “Locations” button and make sure you select thelocal machine. (Not the Windows domain if the server belongs to one.)
Enter “IIS AppPool\Sitecore” in the “Enter the object names to select:” text box. (Don’t forget to change “Sitecore” here to whatever you named your application pool.)
Click the “Check Names” button and click “OK”.
Refer to Sitecore Installation and Security guide for proper settings.
Earlier this summer I finished my first Sitecore project in MVC. I have worked on some Sitecore implementations before where there has been a mix of MVC and WebForms but this time I had a finally change to make presentation ground up so naturally I chose MVC. I have to admit I never felt in home on .NET webforms even I have been working with .NET since version 1.0. For me whole point of abstracting away some of the difficulties of a stateless protocol has always been giving more confusion than benefits. Probably because I was coming to .NET world from web development and I had never been developing in Windows. Anyway, what gave me quick start to MVC in Sitecore was these two videos.
I work these days with Adobe Experience Manager which is part of the integrated suite of products known as the Adobe Marketing Cloud, the Adobe Experience Manager connects with Adobe’s analytics, social media, targeting and optimization modules to create a holistic solution and Sitecore Experience Platform that connects the Web Content Management system with the Digital Marketing System to link together channels, engagement automation and analytics with third party tools. Both of these Experience platforms turns my focus on “CMS as platform“. CMS as platform has born due the lack of CRM solutions that integrates and understands web and social media. This hole has left room for CMS to fill this problem. Although, Adobe and Sitecore are both have been built on top of traditional CM to support cloud and therefore I am not sure if these platforms will solve Cloud -part on real Enterprise Content Management Systems.
So what would be the real Cloud CMS?
If we forget current CMS’s and think from the technology perspective Cloud and Enterprise Content Management one rather interesting concept is to rethinking use of data and presentation to completely different level. Since the Internet is big API of data. I have been playing with the thought where data does not need to be centrally stored but instead it can be loaded from many sources using open API’s or simply scrapped using crawlers. Then on CM side using advanced caching mechanism to stored into central package that can be handled with workflows. Just image a web page where the server that is serving a page is only having information about the presentation, cached content but the data can come from anywhere from the Internet. I could use SkyDrive over Office365 as data storage or Google Drive for generic content. I can host comments from Facebook and video’s from Youtube. If I were having social content I could stream content from a site like Wikipedia. All in the same stream. The CMS on this case would be playing role of brand manager with simple CM functionality that backtracks the changes and workflows and provides editors very easy mashups for social media Internet snippets and content. The role of the CM editor would be more of an Author who through workflows controls the content produced in any media and social media site. Regular editors could use already familiar tools on the Internet to produce content and use CMS just to low level editing, construct and page design from the Internet media. This would optimise management of web and social content in the same stream without loosing control of the processes.
OK, I admit this would be rather brave change for some that require full control but nothing that cannot be solved with today’s technology. I also think rethinking data out of “CMS” would free CMS more to evolution of marketing and experience control.
We have worked a lot on secure login in recent months including integration with NemLogin, PingFederate and AD FS and after having headaches with SAML assertions. We decided to create a simple module that hardens default Sitecore login with SMS token. It extends normal Sitecore login with extra step that asks you to give random code that is sent to your mobile phone. Mobile phone number is stored to your user profile. When you give right username and password the server will send unique key in SMS to your phone. This increases security on logins because no longer bad guys can guess your username+password and this way access to Sitecore. If you are using AD integration on your Sitecore instance you still can use this module (taken we can read your phone number).
Authentication workflow in Sitecore login
Step 1: Write your username and password
Step 2: Read SMS token from your phone
Step 3: Write SMS Code to Login Screen
Step 4: Login Notice that since I already know who user is after step 2 I can extend this very easily by choosing to scope User Interfaces, for example normally regular editors only use Page Editor and IMHO it is just confusing even show them anything else.
There will be a fee on the module and you will also need to have access to SMS gateway since SMS’s are not free. If you are not a developer we can install this for your Sitecore as long as you are running any version of Sitecore 7 or 6. For the SMS gateway we are right now supporting Twilio (REST) and generic SMS gateways (GET). If you like to get hint on the pricing take a look Twilio pricing. So far I have noticed that Twilio is slightly more expensive that others that I have seen but their API and Support (SLA) is good so you know what you are paying for. For more info on licensing contact me at @jpkeisala or call Addition +45 33 69 04 02.
Custom Login Page If you have even looked login screen of Sitecore you may have noticed it is not very customizable but fortunately we can replace it. We are changing login screen of Sitecore to “normal web page”, default look looks like Sitecore normal login screen. However, UI is customizable and uses Twitter Bootstrap.
What is Multi-factor authentication?
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: aknowledge factor (“something only the user knows“), a possession factor (“something only the user has“), and an inherence factor (“something only the user is”). After presentation, each factor must be validated by the other party for authentication to occur. More about the concept in wikipedia.
Someone asked me about Sitecore Devices and Responsive Design, so I decided to write short post about my experience on it.
Sitecore has a concept of Devices where different piece of content can be shown in different UI.
Sitecore backend screenshot of an item (a page) and designs attached to the page.
It is very powerful of Sitecore and one of the core features that gave me huge impression back in a day when I started to work on the Sitecore CMS.
Devices are easy to explains and therefore they are usually as a first concept for customer to serve website in Mobile and Browser layout but reality at least on my case is different. In in the end, I have not done many sites where I used dedicated and separate Mobile design as it usually comes as a feature request and by over the project project scope changes and stuff tends to come in and other less important features goes out. And yes… Mobile layout is something “let’s do it later after going live with main site…” So, I end up to build the site to desktop browser only.
I am only using devices for RSS feed, Print layout and couple of times JSON for some AJAX love (talking about that, take a detailed look in our own site how we load page when you click around in navigation, no page reload… cool eh? This is done in hashbang concept where I load only content and change url as it looks like I navigate site but I am not loading whole page ever.). In last year we have done all our sites in Responsive Design which means there is even less need for using separate device for mobile since HTML5/CSS3 does all the work for us. :) Also, I don’t really like separate print layouts either since we can simply do the same in CSS nowadays.
We made recently toolkit for trying to find Responsive Design for Sitecore. it is of course generic so it works for any site but it was a first toolkit for us to test sites with different window size to give an idea how page looks like on different resolution.
Darren Farley, technical writer from Sitecore wrote me answers to some of my questions on upcoming features.
About 3 databases
The new version of Sitecore has significantly less databases than in previous versions. Previous versions had 7 now there are only 3. The Core, Master and Web Databases are the only databases in the latest version of Sitecore.
The “Sitecore” and “Extranet” security databases were removed as they are now handled by the .NET security model and stored in standard tables.
The “Archive” and “Recycle bin” databases were removed as each database now has its own internal archive and recycle bin storage areas. The archive and recycle bin have also been enhanced to contain a search facility similar to the content editor.
He also wrote something about “Page Editor”
The old “WebEdit” has been completely replaced with in-line editing. This feature, called the “Page Editor”, brings a whole new level of functionality and ease of use to the web site. In its simplest form it will allow users with limited It skills to directly edit text and images on a web page directly without any knowledge of Sitecore architecture, whilst in the background all the items, workflow procedures and security that goes into editing items within the Sitecore framework are all still followed. Items still get locked and unlocked, and an item will move through a workflow in the same manner as if it was being edited in the Content Editor.
Branch Templates and Command Templates, this is completely new for me.
What was referred to in Sitecore 5 as “Templates” are now called “Data Templates” in Sitecore 6. Assigning a data template to an item means that content authors will be allowed to create items directly from the assigned template. To further expand the functionality of templates and facilitate the removal of Masters Sitecore has created two new template types. The first is the Branch Template, which allows the creation of a whole series of items to create a part of a content tree when item creation is invoked. The second is Command Templates which allows a class and method to be called to invoke a programmed operation to be performed during item creation ( i.e. invoking a wizard to collect data).
More info about ASP.NET security on Sitecore six
Sitecore 6 replaces the standard Sitecore security model with the .NET security model. This provides the security infrastructure with a variety of enhancements, which are:
·The ability to use plug and play security providers from Microsoft.
·Abstraction of data from the real data source.
·An easy option to replace or extend the default configuration with your own custom security providers.
·The possibility of using several providers simultaneously and thus keeping the accounts in identifiable storage areas.
The security model has been enhanced to allow roles in roles, a feature that is not available in the standard .NET security model.
These enhancements serve to allow the security of the Sitecore client to handle a lot more users, roles and domains than previously. Along with the new feature of roles in roles this serves to allow for scalability enhancements to support large scale security repositories.
Christopher Wojciech reveleals more details about new Page Editor in Sitecore on his blog.
The post really doesn’t tell much but definetly new inline editor is there but from screenshots I cannot really make comments if it’s good. When looking screenshots on the blog post looks like there is less changes than I though there will be. I am still looking for a comments about speed of editor rendering times and speed of changing simple things on content. I think speed in the current Sitecore is the biggest bottleneck for editors.
I have not seen V6 yet but I have been looking closely blogs and discussions on Sitecore Developer Network about the upcoming version of Sitecore 6 that will Rock every CMS developer world :O
Features known and my predections so far:
There are only 3 databases (Core, Master and Web).
Sitecore V5 has 7, I like this simplicity but I am curious to see solution on Sitecore Security.
.net 2.0 to .net 3.5
IMHO: Not a big fun on LINQ but all other updates are very welcome!
Completely reworked webedit
I predect this will be the biggest update of all. If they are able to roll out proper “edit in place” this product will take everyone under the table.
Not really sure this will happen but I hope they have removed Vista look and goes more Office metaphor on Shell.
No more Master templates, standard values rules.
If you are not Sitecore developer you have no idea what the heck I am talking about but this is good. :)
Security concept based on the .net membership provider.
Makes easier implementation to LDAP’s. I have been missing that on Sitecore.
XSLT extension controls: The WebEditRibbon and the StringUtil.
I am not sure what are these but I am sure I will fall in love with WebEditRibbon. Please please Sitecore let me place and design my own Add/Edit/Delete buttons :P
AJAX included automatically
Not really sure which library, I hope it will be effortless to implement my own AJAX library.
ps: Just notice myself my blog URL says /v6/ that has nothing to do with Sitecore just the coincidence. This blog runs on WordPress and v6 stands for version of my website. I have had homepage since 1997 and last time I updated was in 2005 where I made WordPress installation to to v6 folder…
Sorting Sitecore data to multicolumn html table is quite hard in XSLT because data in XML is not sorted by item/@sortorder.
I finally found out how to do this so it will actually work and I am not loosing data. The trick is creating data first into a flat XML Nodeset and looping this data then to a multicolumn table using following-sibling::item commands. Here is the small sample code for this where I take abstract content structure from the Sitecore to a XML Nodeset <ul><li>xxxxxx</li></ul>.