1

I'm quite new in ASP.NET Core 3.1 Razor Pages and I have a question. Hopefully you can help me further :).

What I want to have is an application with Windows AD Security. Description of what I want to do:

  • Customer needs to login using his/her AD account.
  • The user is authorized if entered a valid AD account/password combination.
  • The user have rights to see/adjust specific pages if in a specific group, let's say if in the Administrators group of the server where the application is running on.

The problem that I have is the following. In LaunchSettings.json I have placed this code:

    "windowsAuthentication": true,
    "anonymousAuthentication": false,
    "iisExpress": {
      "applicationUrl": "http://localhost:65385",
      "sslPort": 44356
    }
  }

Then in Startup.cs I have added AddAuthentication.

    public void ConfigureServices(IServiceCollection services)
    {
      services.AddAuthentication(IISDefaults.AuthenticationScheme);
      services.AddRazorPages();
    }

And in the Configure part:

      app.UseAuthentication();
      app.UseAuthorization();

Then finally I created a separate folder, called Admin, in my Pages folder. I want to restrict this folder for only the Administrators group. So I added the Authorize to the Index1Model.

  [Authorize(Roles = "Administrators")]
  public class Index1Model : PageModel
    {
        public void OnGet()
        {
        }
    }

Launching this code locally with IIS Express and clicking the page protected I do get the following error:

Access denied

I thought it might have to do with impersonation. But when I enable this in IIS then I cannot open the application anymore. The user which is display in the upper corner of my program is in the Administrator group and therewith should be allowed to see the page. What am I overlooking? Thanks for helping me out!

Improve this question
2
  • Have you enabled windows authentication in IIS? Commented Apr 25, 2020 at 18:33
  • @YankTHEcode, yes, both basic and windows authentication are enabled. Commented Apr 26, 2020 at 17:48

2 Answers 2

Reset to default
1

Have you enabled windows authentication in IIS? If not try that, else allow anonymous authentication and somewhere on your page display the user and it’s roles so you can see what identity is flowing through on IIS. You might have to change the identity that your app pool is running under but I am sure this has something to do with your IIS configuration.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yes i have enabled both basic and windows authentication in IIS. Checked all the groups with this code: var identity = User.Identity as WindowsIdentity; var groupNames = from id in identity.Groups select id.Translate(typeof(NTAccount)).Value; Groups = groupNames.ToList();
What I see locally, when I start my project with IISExpress, that the user I test with is not in the BUILTIN\Administrators. While this user is actually in that group. Same holds if I test with IIS when added as application. Any thoughts why?
1

As far as I know, the windows authentication will just check the the user is authenticated or not. It will not provide any role based control in the MVC application.

So your Authorize attribute will be useless.

To achive AD role based authorize, I suggest you could consider using Policy-based authorization to authenticate only users from a Active Directory group have access to the page. Detials, you could refer to article.

You could create a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired group name.

More details, you could refer to below steps:

1.Create CheckADGroupRequirement(accept a parameter)

public class CheckADGroupRequirement : IAuthorizationRequirement
    {
        public string GroupName { get; private set; }

        public CheckADGroupRequirement(string groupName)
        {
            GroupName = groupName;
        }
    }

2.Create Handler

public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
    {
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       CheckADGroupRequirement requirement)
        {
            //var isAuthorized = context.User.IsInRole(requirement.GroupName);

            var groups = new List<string>();//save all your groups' name
            var wi = (WindowsIdentity)context.User.Identity;
            if (wi.Groups != null)
            {
                foreach (var group in wi.Groups)
                {
                    try
                    {
                        groups.Add(group.Translate(typeof(NTAccount)).ToString());
                    }
                    catch (Exception e)
                    {
                        // ignored
                    }
                }
               if(groups.Contains(requirement.GroupName))//do the check
                {
                    context.Succeed(requirement);
                }
            }

            return Task.CompletedTask;
        }
    }

3.Register Handler in ConfigureServices

services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy =>
        policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\\Domain Admin")));
});

services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();

4.Controller

[Authorize(Policy = "ADRoleOnly")]
 public class ADController : Controller
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.