I am trying to use standard AD groups (not azure) to control access to an intranet site. I can successfully get the username using
User.Identity.Name
and pull the groups using
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();
When I started I figure it would be easy to lock down access using
[Authorize(Policy = "DOMAIN\\Domain Admin")]
However the User groups for authorisation don't seem to inherit from AD (I am guessing they did in a different version of ASP.NET?). I get access denied no matter what.
You could use Policy-based authorization to authenticate only users from a Active Directory group have access to the page.Make sure you have set correct AD group's name.
[Authorize(Policy = "ADRoleOnly")]
public class HomeController : Controller
Another method is to write a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired
group name.
You could refer to follow steps:
1.Create CheckADGroupRequirement(accept a parameter)
public class CheckADGroupRequirement : IAuthorizationRequirement
{
public string GroupName { get; private set; }
public CheckADGroupRequirement(string groupName)
{
GroupName = groupName;
}
}
2.Create CheckADGroupHandler
public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
CheckADGroupRequirement requirement)
{
//var isAuthorized = context.User.IsInRole(requirement.GroupName);
var groups = new List<string>();//save all your groups' name
var wi = (WindowsIdentity)context.User.Identity;
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
}
catch (Exception e)
{
// ignored
}
}
if(groups.Contains(requirement.GroupName))//do the check
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
} }
Member
11 Points
33 Posts
Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core 2.1
Feb 07, 2019 09:50 AM|Shadow_Kittencorn|LINK
I am trying to use standard AD groups (not azure) to control access to an intranet site. I can successfully get the username using
User.Identity.Nameand pull the groups using
PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();When I started I figure it would be easy to lock down access using
[Authorize(Policy = "DOMAIN\\Domain Admin")]However the User groups for authorisation don't seem to inherit from AD (I am guessing they did in a different version of ASP.NET?). I get access denied no matter what.
What is the simplest way of doing this?
Participant
1390 Points
491 Posts
Re: Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core...
Feb 08, 2019 07:28 AM|Xing Zou|LINK
Hi Shadow_Kittencorn,
You could use Policy-based authorization to authenticate only users from a Active Directory group have access to the page.Make sure you have set correct AD group's name.
In startup.cs ConfigureServices:
services.AddAuthorization(options => { options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\\Domain Admin")); });In controller:
Another method is to write a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired group name.
You could refer to follow steps:
1.Create CheckADGroupRequirement(accept a parameter)
public class CheckADGroupRequirement : IAuthorizationRequirement { public string GroupName { get; private set; } public CheckADGroupRequirement(string groupName) { GroupName = groupName; } }2.Create CheckADGroupHandler
public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement> { protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CheckADGroupRequirement requirement) { //var isAuthorized = context.User.IsInRole(requirement.GroupName); var groups = new List<string>();//save all your groups' name var wi = (WindowsIdentity)context.User.Identity; if (wi.Groups != null) { foreach (var group in wi.Groups) { try { groups.Add(group.Translate(typeof(NTAccount)).ToString()); } catch (Exception e) { // ignored } } if(groups.Contains(requirement.GroupName))//do the check { context.Succeed(requirement); } } return Task.CompletedTask; }}
3.Register Handler in ConfigureServices
services.AddAuthorization(options => { options.AddPolicy("ADRoleOnly", policy => policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\\Domain Admin"))); }); services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();4.Controller
Refer to Configure Active Directory group and Check if user belongs to that AD group in .Net CORE 2.2.
Xing
Member
11 Points
33 Posts
Re: Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core...
Feb 08, 2019 01:00 PM|Shadow_Kittencorn|LINK
Thanks for you help.
The second version worked :)