I am trying to use standard AD groups (not azure) to control access to an intranet site. I can successfully get the username using
User.Identity.Name
and pull the groups using
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
When I started I figure it would be easy to lock down access using
[Authorize(Policy = "DOMAIN\\Domain Admin")]
However the User groups for authorisation don't seem to inherit from AD (I am guessing they did in a different version of ASP.NET?). I get access denied no matter what.
You could use Policy-based authorization to authenticate only users from a Active Directory group have access to the page.Make sure you have set correct AD group's name.
[Authorize(Policy = "ADRoleOnly")]
public class HomeController : Controller
Another method is to write a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired
group name.
You could refer to follow steps:
1.Create CheckADGroupRequirement(accept a parameter)
public class CheckADGroupRequirement : IAuthorizationRequirement
{
public string GroupName { get; private set; }
public CheckADGroupRequirement(string groupName)
{
GroupName = groupName;
}
}
2.Create CheckADGroupHandler
public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
CheckADGroupRequirement requirement)
{
//var isAuthorized = context.User.IsInRole(requirement.GroupName);
var groups = new List<string>();//save all your groups' name
var wi = (WindowsIdentity)context.User.Identity;
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
}
catch (Exception e)
{
// ignored
}
}
if(groups.Contains(requirement.GroupName))//do the check
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
} }
Member
19 Points
45 Posts
Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core 2.1
Feb 07, 2019 09:50 AM|Shadow_Kittencorn|LINK
I am trying to use standard AD groups (not azure) to control access to an intranet site. I can successfully get the username using
User.Identity.Name
and pull the groups using
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
When I started I figure it would be easy to lock down access using
[Authorize(Policy = "DOMAIN\\Domain Admin")]
However the User groups for authorisation don't seem to inherit from AD (I am guessing they did in a different version of ASP.NET?). I get access denied no matter what.
What is the simplest way of doing this?
Contributor
2253 Points
735 Posts
Re: Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core...
Feb 08, 2019 07:28 AM|Xing Zou|LINK
Hi Shadow_Kittencorn,
You could use Policy-based authorization to authenticate only users from a Active Directory group have access to the page.Make sure you have set correct AD group's name.
In startup.cs ConfigureServices:
services.AddAuthorization(options => { options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\\Domain Admin")); });
In controller:
Another method is to write a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired group name.
You could refer to follow steps:
1.Create CheckADGroupRequirement(accept a parameter)
2.Create CheckADGroupHandler
3.Register Handler in ConfigureServices
4.Controller
Refer to Configure Active Directory group and Check if user belongs to that AD group in .Net CORE 2.2.
Xing
Member
19 Points
45 Posts
Re: Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core...
Feb 08, 2019 01:00 PM|Shadow_Kittencorn|LINK
Thanks for you help.
The second version worked :)