Windows Authentication in ASP.NET 5

.NET Core MVC 5 Windows Authentication

the error "Type or namespace 'Users' could not be found".

From the AuthorizeAttribute Class, we can see that the Authorize attribute only have the Roles and Policy property, without the Users property, so it will show the above error.

If you want to set authorization rights for specified users, you could create a policy for the users, then, in the Controller, set the Authorize attribute as below:

 [Authorize(Policy = "policyforUser")]
 public class HomeController : Controller

More detail information about create policy, see the following links:

Policy-based authorization in ASP.NET Core

ASP.NET Core Authorize AD Groups through web.config

ASP.NET Core - Authorization Using Windows Authentication

Using AD groups to authorise access to pages using IIS Windows Authentication

Automatic Windows Authentication over IIS, ASP.NET 5 and Microsoft SQL Server

It's a common misconception that Windows Authentication implies Impersonation. When a user authenticates to a server with Windows Integrated auth, the code on the server doesn't automatically start running as that user.

The normal configuration for an Enterprise web app is for IIS to user Windows Auth to authenticate the users, but to connect to SQL Server using the IIS App Pool Identity.

If you want the users to connect as themselves to SQL Server through the web application, that's called "Impersonation" and you need to enable and configure it. There's a SO question here that shows how to perform impersonation in your middleware. But additional confgiuration, like Kerberos Constrained Delegation configuration may be required.

The downsides of doing this are

  1. It's extra work to configure, and you may need your network admins to help.

  2. If users can connect directly to the database through the app, they can do it through other tools too. So security administration is harder, and riskier.

  3. Users can't reuse connections, so you'll have lots of idle connections.

.net core 5 Windows Authentication and Active Directory resources

There's a nuget that handles this; System.DirectoryServices.AccountManagement

It's Windows only, there's a Novel ldap version that I think is cross platform.

To authenticate:

using (var ctx = new PrincipalContext(ContextType.Domain))
{
    if (!ctx.ValidateCredentials(user_name, password))
        throw new Exception("unknown username or password");

    using (var userPrinciple = new UserPrincipal(ctx)) {
        userPrinciple.SamAccountName = user_name;

        using (var search = new PrincipalSearcher(userPrinciple))
        {
            UserPrincipal user = (UserPrincipal) search.FindOne();
            if (user == null) {
                throw new Exception("user authenticated but not found in directory");
            }
            return user; // auth'ed user
        }
    }
}

To authorize (by group membership):

using (var ctx = new PrincipalContext(ContextType.Domain))
{
    using (var groupPrinciple = new GroupPrincipal(ctx))
    {
        groupPrinciple.SamAccountName = groupName;
        using (var search = new PrincipalSearcher(groupPrinciple))
        {
            member_list = GetMembersOfPrincipalGroup((GroupPrincipal)search.FindOne());
        }
        // member_list contains all the users of a group. 
        // I cache these in a Dictionary for faster group membership checks
    }
}

Note that the ContextType enum handles local machine users as well as domain.
Search on the nuget package for more examples.

How do I pass the windows authentication token on a web request to an api?

To send Windows credentials, you need to set the UseDefaultCredentials property of the HttpClientHandler used by HttpClient. There is an example of how to do this with IHttpClientFactory in the documentation.

In your case, it should look something like this:

services.AddHttpClient("CommonApi",
                client =>
                {
                    client.BaseAddress = new Uri(commonApiSettings.BaseAddress);
                    client.DefaultRequestHeaders.Add("Accept", "application/json");
                    client.DefaultRequestHeaders.Add("User-Agent", "AspNetCore-Demo");
                })
            .ConfigurePrimaryHttpMessageHandler(() =>
                new HttpClientHandler
                {
                    UseDefaultCredentials = true
                });

Related Topics

Is Using an an 'Async' Lambda with 'Task.Run()' Redundant

Programmatically Getting the Last Filled Excel Row Using C#

Preventing Jit Inlining on a Method

How to Catch Exceptions from a Threadpool.Queueuserworkitem

Convert Anonymous Type to Class

How to Upload Files Using Ajax to ASP.NET MVC Controller Action

How to Get an Extension Method to Change the Original Object

Aggregate $Lookup with C#

Does Anyone Know of a Good C# API for Subversion

Opening a "Known File Type" into Running Instance of Custom App - .Net

How to Disable the Horizontal Scrollbar in a Panel

Looking for C# Equivalent of Scanf

List Array Duplicates with Count

Using Graphics.Drawimage() to Draw Image with Transparency/Alpha Channel

How Does Deferred Linq Query Execution Actually Work

Parsing Xml with Ampersand

How to Use Extension Methods and Linq in .Net 2.0 or 3.0

+= Operator with Events


Leave a reply



Submit