Kentico Preview - Error JWT Token

Leif Anderson asked on February 3, 2024 00:13

Preview is blank, and it shows this error when I open the preview in another tab: Try reloading the administration interface. The user was not found in the JWT token, nor in the current virtual context URL.

I went through these posts/documentation for ideas:


I've confirmed:

  • Kentico Version: 13.0.133
  • MVC Site Kentico Libraries is matching - 13.0.133
  • Domains are the same (,
  • Preview URL is correct (
  • Both sites are using HTTPS and have valid certificates.
  • Browser is not blocking third-party cookies. (tried in Edge, Chrome, and Firefox). I do know our org blocks third party cookies in Edge and Chrome, but I can turn it off in Edge.
  • CMSHashString is the same between the two
  • Tried updating all macro signatures in Kentico Admin.
  • Tried Cache-clear/Restart of Kentico admin and app itself.
  • Tried adding the SameSite setting (CMSAdminCookiesSameSiteNone) to the MVC site - just to see. Didn't change anything.
  • Tried turning off a lowercase redirect I had in my MVC app - so that this "KenticoCookiePolicyCheck" call wouldn't break. That didn't do anything.
  • Checked for any CSP policy stuff in web config or being injected by Cloudflare. We did a header in report-only, and deleting that didn't make a difference.
  • I double-checked, and nothing is getting blocked by Cloudflare in my session. This has been an issue before and was mentioned in one question I found.


  • We recently upgraded to Kentico 13. Before the Kentico 13 upgrade, the Kentico 12 preview worked when opening it in a new tab, but not in the preview inside Kentico. Now, both are broken.
  • I got it to a point where it doesn't throw an error in the preview (used to throw the 500 error below) -- but now it's just showing a blank preview area.

Full Stack Trace: [InvalidVirtualContextException: Try reloading the administration interface. The user was not found in the JWT token, nor in the current virtual context URL.] Kentico.Content.Web.Mvc.VirtualContextPrincipalRetriever.GetPrincipal(String jwtToken) +308 Kentico.Content.Web.Mvc.VirtualContextPrincipalAssigner.SetVirtualContextPrincipal(IVirtualContextPrincipalRetriever virtualContextPrincipalRetriever) +135 Kentico.Content.Web.Mvc.<>c.\<Initialize>b__5_0(Object sender, EventArgs eventArgs) +31 CMS.Base.AbstractHandler.CallEventHandler(EventHandler1 h, TArgs e) +110 CMS.Base.AbstractHandler.Raise(String partName, List1 list, TArgs e, Boolean important) +766 CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) +99 CMS.Base.SimpleHandler2.RaiseExecute(TArgs e) +130 CMS.Base.SimpleHandler2.StartEvent(TArgs e) +190 CMS.Base.ApplicationModule.PostAuthenticateRequest(Object sender, EventArgs e) +16 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +201 System.Web.<>c__DisplayClass285_0.\<ExecuteStepImpl>b__0() +24 System.Web.StepInvoker.Invoke(Action executionStep) +100 System.Web.<>c__DisplayClass4_0.\<Invoke>b__0() +18 Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule.OnExecuteRequestStep(HttpContextBase context, Action step) +64 System.Web.<>c__DisplayClass284_0.\<OnExecuteRequestStep>b__0(Action nextStepAction) +54 System.Web.StepInvoker.Invoke(Action executionStep) +84 System.Web.<>c__DisplayClass4_0.\<Invoke>b__0() +18 Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule.OnExecuteRequestStep(HttpContextBase context, Action step) +124 System.Web.<>c__DisplayClass284_0.\<OnExecuteRequestStep>b__0(Action nextStepAction) +54 System.Web.StepInvoker.Invoke(Action executionStep) +84 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +100 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +73

Correct Answer

Leif Anderson answered on February 3, 2024 00:16

Turns out, the issue was that Cloudflare was setting the x-frame-options: SAMEORIGIN header.

This is under Rules > Transform Rules > Managed Transforms > Add Security Headers. Turning on that off fixed it for me. I added the other headers that were missing manually and added a CSP. They're listed in the Cloudflare Docs about this if you're curious.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Elmar Höfinghoff answered on February 20, 2024 10:05 (last edited on February 20, 2024 10:09)

If you run the CMS in a path instead a subdomain this may also work if you get cross domain issues. You can do this if the CMS is running as a virtual application within the web application. Another thing that could help could be to set the document.domain property to the same main domain for all subdomains.

1 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.