Last post May 12, 2020 06:54 PM by bruce (sqlwork.com)
May 12, 2020 10:51 AM|Joe_coding|LINK
I hoping someone can give me some advice on the best way to proceed there are lots of solutions to this I have seen but none seems to fit my needs.
So I am creating a MVC application in .NET Core 3.1 which also has an Angular SPA. I will be deploying to IIS 7.5.
The idea is for the MVC application to provide REST API's to the SPA, and i need to authorise with windows authentication so it can access server resources such as msmdpmup (Analysis Services) however not all domain users have access to this. I cannot use
roles because the roles are based around departments for my company so I would like to also perform a check to a database to see if the user has access.
I have already tried using cookie authentication but instead of storing username and passwords I validate the credentials against the active directory and also perform a check against the database which gives access to the correct users but does not allow
for passthrough authentication to msmdpump as the header does not contain a windows auth token.
Would anyone have any advice on how I should approach this?
If you need anymore detail please let me know.
May 12, 2020 11:14 AM|mgebhard|LINK
Call the service from the web application not the browser. Assign the application pool identity to an account that has proper access.
May 12, 2020 03:01 PM|bruce (sqlwork.com)|LINK
the above solution is the easiest (webapi server has permission and validates the users access). if you need to pass the user credentials along to the AS server, then you have some challenges.
May 12, 2020 04:29 PM|Joe_coding|LINK
Thanks for the reply..... when you say call the service which service are you referring? The msmdpump?
With the application pool identity again I assume you mean that the pool identity has proper access to msmdpump but I am wanting it to be specific to a user as I rely on this for security (row level security)
May 12, 2020 04:35 PM|Joe_coding|LINK
Thanks for the reply bruce (sqlwo...
Do you have any example code of what I would need to implement?
I could use basic authentication to connect to AS and could implement a middleware which puts the users credentials into the header but this seems complicated especially when I can easily configure the pump to be on the same site in IIS?
Thanks for the support.
May 12, 2020 06:54 PM|bruce (sqlwork.com)|LINK
If the service you are calling in on the same server as iis then you don’t need a primary token. Your webapi will still need to create a thread to impersonate the token and call the service. As this is windows only, you will call the windows api.