3

http://forums.asp.net/t/1894061.aspx?ASP+NET+MVC+integration+with+Active+Directory

In regards to the post above.

I have been trying to implement Active Directory Security using IIS Express for my local development enviornment using Visual Studio 2013. Currently I have modified the IIS Express to allow me to override the authentication methods in the applicationhost.config. As specified in this post

IIS Express Windows Authentication

In addtion, I also made the default applicationpool user a valid Domain Administrator. I modified the Authorize attribute on the Home Controller of a basic MVC Site. Then on the home controller added the following code, as suggested in the first post I mentioned. The code is below. When I browse to this page It only shows the groups of the local machine that I belong to. It does not show the groups of the Domain that I belong to. Because of this I cannot actually Authorize any groups on my Domain only groups that exist locally. Why is that? Any assistance would be helpful.

<h2>Logged in as: @User.Identity.Name</h2>
<h2>Groups</h2>
<ul>
@{
    var id = User.Identity as System.Security.Principal.WindowsIdentity;
    foreach(var g in id.Groups)
    {
        var name = g.Translate(typeof(System.Security.Principal.NTAccount)).Value;
        var nameWithoutAuthority = name;
        var idx = name.IndexOf('\\');
        if (idx >= 0)
        {
            nameWithoutAuthority = name.Substring(idx + 1);
        }
        <li>@g.Value,
            @name,
            @User.IsInRole(name),
            @nameWithoutAuthority,
            @User.IsInRole(nameWithoutAuthority)
        </li>
    }
}
</ul>
Community
  • 1
  • 1
John Hartsock
  • 85,422
  • 23
  • 131
  • 146
  • 3
    Out of interest are you logged into your local computer on a domain account or are you logged in as a local user? Just wondering if that maybe the issue. – sarin Mar 31 '14 at 12:33
  • Im logged in as a domain account and that domain account is a domain administrator. I doubt that this is an issue. – John Hartsock Apr 02 '14 at 14:23
  • 1
    What is the full @User.Identity.Name displaying on the web page i.e. does it include your full domain? It feels like you are not in as a domain user. – sarin Apr 02 '14 at 15:17
  • This existing stackoverflow post looks promising: [Configure aps.net mvc for AD authentication](http://stackoverflow.com/questions/10279140/configure-asp-net-mvc-for-authentication-against-ad). This is a different approach that doesn't involve editing your IISExpress applicationconfig. [This post](http://stackoverflow.com/questions/21305301/mapping-user-identity-in-net-mvc-app-to-active-directory-user) adds some more config in which may be worth trying. [This post](http://forums.asp.net/t/1450589.aspx?ASP+Windows+authentication+Authorziation+not+working+for+Active+Directory+groups) I dont like – sarin Apr 02 '14 at 15:18
  • @sarin I have tired all these things. – John Hartsock Apr 03 '14 at 18:28
  • What do you get if you try the fully qualified reference to the current request context: var id = HttpContext.Current.User.Identity as System.Security.Principal.WindowsIdentity; or var id = Controller.Request.LogonUserIdentity; – Only You Apr 04 '14 at 03:02
  • I actually get a valid Domain User Domain\somesuer.... but the groups are not working – John Hartsock Apr 04 '14 at 18:35
  • Is your web server joined to the domain? – BateTech Apr 06 '14 at 03:28

1 Answers1

1

The behaviour you are seeing would appear to be by design, see Which Groups Does WindowsIdentity.Groups Return?

To summarise

Under the covers, WindowsIdentity populates the groups collection by querying Windows for information on the groups that the user token is a member of. However, before returning this list, the Groups property filters out some of the returned groups.

Specifically, any groups which were on the token for deny-only will not be returned in the Groups collection. Similarly, a group which is the SE_GROUP_LOGON_ID will not be returned.

...If you want to retrieve all of the groups however, there's not an easy built-in way for you to do this. Instead, you'll have to P/Invoke to the GetTokenInformation API to retrieve the groups yourself.

public static void Main()
{
    using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
    {               
        var groups = // Get all of the groups from our account, and translate them from IdentityReferences to NTAccounts  
                    from groupIdentity in currentIdentity.Groups
                    where groupIdentity.IsValidTargetType(typeof(NTAccount))
                    select groupIdentity.Translate(typeof(NTAccount)) as NTAccount into ntAccounts

                    // Sort the NTAccounts by their account name
                    let domainName = ntAccounts.GetDomainName()
                    let groupName = ntAccounts.GetAccountName()
                    orderby domainName

                    // Group the sorted accounts by the domain they belong to, and sort the grouped groups by domain name
                    group ntAccounts by domainName into domainGroups
                    orderby domainGroups.Key
                    select domainGroups;

        foreach (var domainGroups in groups)
        {
            Console.WriteLine("Groups from domain: {0}", domainGroups.Key);

            foreach (var group in domainGroups)
            {
                Console.WriteLine("    {0}", group.GetAccountName());
            }
        }
    }
}

private static string GetDomainName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split.Length == 1 ? String.Empty : split[0];
}

private static string GetAccountName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split[split.Length - 1];
}
Community
  • 1
  • 1
James
  • 80,725
  • 18
  • 167
  • 237