Hello all, this week I came across an exciting security issue on Sitecore. I need to block a few pages, and create a few groups.
I initially started testing using the “Everyone” role to test the cenario, but blocking access with that role is too broad and block users like content authors, which was not the idea. A better approach is to use “domain\Everyone”, which limits the scope to a specific security domain. However, for some reason, the security settings were not blocking access when using that domain-specific group.
After a debugging session, I eventually found the root cause in the Sitecore configuration, specifically in the Domains.config file. Sitecore uses this file to define which security domains exist and how they behave. If a domain is missing or misconfigured here, Sitecore may not correctly resolve roles such as domain\Everyone, resulting in unexpected behavior like permissions not being applied.
Below is an example of how a domain entry looks in Sitecore Domains.config:
<?xml version="1.0" encoding="utf-8"?>
<sitecore>
<domains>
<!-- Default Sitecore domain -->
<domain name="sitecore" ensureRoles="true" />
<!-- Default extranet domain -->
<domain name="extranet" ensureAnonymousUser="true" />
<!-- Your custom domain -->
<domain name="domain"
ensureRoles="true"
ensureAnonymousUser="false"
locallyManaged="true" />
</domains>
</sitecore>
So what was the actual issue?
My custom domain was correctly configured on my local environment and also on the QA CM environment. However, it was missing on the QA CD server. Since the CD instance did not know that this domain existed, Sitecore could not resolve any roles that belonged to it. As a result, permissions assigned to “domain\Everyone” were simply ignored.
Once the domain entry was added to the CD server’s Domains.config file, everything worked as expected.
Sitecore Tips 