13

Has anyone successfully created an ASP.NET Core 2.0 app using Windows Authentication in IIS to query an LDAP source (in-house AD instance) and placed the group membership into Roles as Claims to properly fuel the [Authorize] annotation? The documentation of the middleware does not directly address how to do this or is dated amidst some releases of System.DirectoryServices 4.5preview for aspnetcore. I know that .NET Framework gives us native access to the group membership via System.DirectoryService. My question is whether you could try to use a filter instead of middleware and query LDAP for the groups and store as claims in a cookie. Is there a simpler way to do this? I have a query to our LDAP source working in Novell.Directory.Ldap standard that I can use where appropriate to iterate.

Thanks in advance for your advice.

dodegaard
  • 1,027
  • 2
  • 9
  • 21
  • Anyone did this for asp.net core 2.1? – ExceptionalException Aug 14 '18 at 15:14
  • You can take a look at [this](http://mikko.repolainen.fi/documents/aspdotnet-core-windows-authentication) and [official document](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.1). If you are using LDAP query, you are likely to create your own policy: see [this question](https://stackoverflow.com/questions/31464359/how-do-you-create-a-custom-authorizeattribute-in-asp-net-core) – CSakura Aug 14 '18 at 17:57

1 Answers1

0

You can use Policy configured in your Startup.cs to define an AD Group that you can use with the Authorize attribute. You'll notice, however, that instead of using the group name, you'll have to use the SID of the group in the line policy.RequireRole("S-1-5-4").

    public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<IISOptions>(options =>
        {
            options.AutomaticAuthentication = true;
        });

        services.AddAuthentication(IISDefaults.AuthenticationScheme);

        services.AddAuthorization(options =>
        {
            options.AddPolicy("OnlyEmployees", policy =>
            {
                policy.AddAuthenticationSchemes(IISDefaults.AuthenticationScheme);
                policy.RequireRole("S-1-5-4");
            });
        });

        services.AddMvc();
    }

To utilize the policy, decorate your controller with the authorize attribute like so:

[Authorize(Policy = "OnlyEmployees")]

To find the SID of the group, you can query AD using the powershell command Get-ADGroup -Identity YOUR_GROUP_NAME, which will return the SID of the group.

Note: This answer was found here and the code is available here.

zdub
  • 571
  • 5
  • 8