.NET Core MVC 5 Windows Authentication
the error "Type or namespace 'Users' could not be found".
From the AuthorizeAttribute Class, we can see that the Authorize
attribute only have the Roles and Policy property, without the Users property, so it will show the above error.
If you want to set authorization rights for specified users, you could create a policy for the users, then, in the Controller, set the Authorize
attribute as below:
[Authorize(Policy = "policyforUser")]
public class HomeController : Controller
More detail information about create policy, see the following links:
Policy-based authorization in ASP.NET Core
ASP.NET Core Authorize AD Groups through web.config
ASP.NET Core - Authorization Using Windows Authentication
Using AD groups to authorise access to pages using IIS Windows Authentication
Automatic Windows Authentication over IIS, ASP.NET 5 and Microsoft SQL Server
It's a common misconception that Windows Authentication implies Impersonation. When a user authenticates to a server with Windows Integrated auth, the code on the server doesn't automatically start running as that user.
The normal configuration for an Enterprise web app is for IIS to user Windows Auth to authenticate the users, but to connect to SQL Server using the IIS App Pool Identity.
If you want the users to connect as themselves to SQL Server through the web application, that's called "Impersonation" and you need to enable and configure it. There's a SO question here that shows how to perform impersonation in your middleware. But additional confgiuration, like Kerberos Constrained Delegation configuration may be required.
The downsides of doing this are
It's extra work to configure, and you may need your network admins to help.
If users can connect directly to the database through the app, they can do it through other tools too. So security administration is harder, and riskier.
Users can't reuse connections, so you'll have lots of idle connections.
.net core 5 Windows Authentication and Active Directory resources
There's a nuget that handles this; System.DirectoryServices.AccountManagement
It's Windows only, there's a Novel ldap version that I think is cross platform.
To authenticate:
using (var ctx = new PrincipalContext(ContextType.Domain))
{
if (!ctx.ValidateCredentials(user_name, password))
throw new Exception("unknown username or password");
using (var userPrinciple = new UserPrincipal(ctx)) {
userPrinciple.SamAccountName = user_name;
using (var search = new PrincipalSearcher(userPrinciple))
{
UserPrincipal user = (UserPrincipal) search.FindOne();
if (user == null) {
throw new Exception("user authenticated but not found in directory");
}
return user; // auth'ed user
}
}
}
To authorize (by group membership):
using (var ctx = new PrincipalContext(ContextType.Domain))
{
using (var groupPrinciple = new GroupPrincipal(ctx))
{
groupPrinciple.SamAccountName = groupName;
using (var search = new PrincipalSearcher(groupPrinciple))
{
member_list = GetMembersOfPrincipalGroup((GroupPrincipal)search.FindOne());
}
// member_list contains all the users of a group.
// I cache these in a Dictionary for faster group membership checks
}
}
Note that the ContextType enum handles local machine users as well as domain.
Search on the nuget package for more examples.
How do I pass the windows authentication token on a web request to an api?
To send Windows credentials, you need to set the UseDefaultCredentials
property of the HttpClientHandler
used by HttpClient
. There is an example of how to do this with IHttpClientFactory
in the documentation.
In your case, it should look something like this:
services.AddHttpClient("CommonApi",
client =>
{
client.BaseAddress = new Uri(commonApiSettings.BaseAddress);
client.DefaultRequestHeaders.Add("Accept", "application/json");
client.DefaultRequestHeaders.Add("User-Agent", "AspNetCore-Demo");
})
.ConfigurePrimaryHttpMessageHandler(() =>
new HttpClientHandler
{
UseDefaultCredentials = true
});
Related Topics
Is Using an an 'Async' Lambda with 'Task.Run()' Redundant
Programmatically Getting the Last Filled Excel Row Using C#
Preventing Jit Inlining on a Method
How to Catch Exceptions from a Threadpool.Queueuserworkitem
Convert Anonymous Type to Class
How to Upload Files Using Ajax to ASP.NET MVC Controller Action
How to Get an Extension Method to Change the Original Object
Does Anyone Know of a Good C# API for Subversion
Opening a "Known File Type" into Running Instance of Custom App - .Net
How to Disable the Horizontal Scrollbar in a Panel
Looking for C# Equivalent of Scanf
List Array Duplicates with Count
Using Graphics.Drawimage() to Draw Image with Transparency/Alpha Channel
How Does Deferred Linq Query Execution Actually Work