Remove From My Forums

Using AD groups to authorise access to pages using IIS Windows Authentication - ASP.NET Core 2.1

Question
0

Sign in to vote

User1352447851 posted

I am trying to use standard AD groups (not azure) to control access to an intranet site. I can successfully get the username using

User.Identity.Name

and pull the groups using

PrincipalSearchResult<Principal> groups = user.GetAuthorizationGroups();

When I started I figure it would be easy to lock down access using

[Authorize(Policy = "DOMAIN\\Domain Admin")]

However the User groups for authorisation don't seem to inherit from AD (I am guessing they did in a different version of ASP.NET?). I get access denied no matter what.

What is the simplest way of doing this?

Thursday, February 7, 2019 9:50 AM

Answers

User-1764593085 posted

Hi Shadow_Kittencorn,

You could use Policy-based authorization to authenticate only users from a Active Directory group have access to the page.Make sure you have set correct AD group's name.

In startup.cs ConfigureServices:

services.AddAuthorization(options =>
            {
                options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\\Domain Admin"));

            });

In controller:

[Authorize(Policy = "ADRoleOnly")]
 public class HomeController : Controller

Another method is to write a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired group name.

You could refer to follow steps:

1.Create CheckADGroupRequirement(accept a parameter)

public class CheckADGroupRequirement : IAuthorizationRequirement
    {
        public string GroupName { get; private set; }

        public CheckADGroupRequirement(string groupName)
        {
            GroupName = groupName;
        }
    }

2.Create CheckADGroupHandler

public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
    {
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       CheckADGroupRequirement requirement)
        {
            //var isAuthorized = context.User.IsInRole(requirement.GroupName);

            var groups = new List<string>();//save all your groups' name
            var wi = (WindowsIdentity)context.User.Identity;
            if (wi.Groups != null)
            {
                foreach (var group in wi.Groups)
                {
                    try
                    {
                        groups.Add(group.Translate(typeof(NTAccount)).ToString());
                    }
                    catch (Exception e)
                    {
                        // ignored
                    }
                }
               if(groups.Contains(requirement.GroupName))//do the check
                {
                    context.Succeed(requirement);
                }
            }

            return Task.CompletedTask;
        }
    }

3.Register Handler in ConfigureServices

services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy =>
        policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\\Domain Admin")));
});

services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();

4.Controller

[Authorize(Policy = "ADRoleOnly")]
 public class ADController : Controller

Refer to Configure Active Directory group and Check if user belongs to that AD group in .Net CORE 2.2.

Xing

Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM

Friday, February 8, 2019 7:28 AM

All replies