3

My goal is to check if user is member of specific active directory group.

In .net mvc i was using this code inside my service

HttpContext.Current.Request.LogonUserIdentity.Groups
                    .Any(x => x.Translate(typeof(NTAccount)).Value == "some role"

and it worked well. In .net core mvc 2.1.2 i pass IHttpContextAccessor into service constructor and try to use following

_httpAccessor.HttpContext.User.Identity.LogonUserIdentity.Groups

but there is an issue, because Identity does not contains LogonUserIdentity. I tried to find any solution but i was not successful, how can i get the list of user groups or check if user is member of specific one ?

Muflix
  • 6,192
  • 17
  • 77
  • 153
  • It may not have the exact answer, but have you seen & followed this guide: [Configure Windows Authentication in ASP.NET Core](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth) – Peter B Nov 07 '18 at 14:14
  • This might also help: [ASP.NET Core 2.0 LDAP Active Directory Authentication](https://stackoverflow.com/q/49682644/1220550) – Peter B Nov 07 '18 at 14:20
  • Thank you Peter, IIS is configured for windows authentication already, that works. The second approach use direct connection into LDAP but i tried it before and it is slow. I would like to use HTTP Context in some way as before. I hope the function was moved somewhere else and it is not missing completely. – Muflix Nov 07 '18 at 14:25
  • I totaly forgot on this function `_httpAccessor.HttpContext.User.IsInRole("role name")` i think that is what i need. – Muflix Nov 07 '18 at 14:28
  • In as much as AD Groups are added as roles when using Windows Auth, yes, that should work for checking group membership. Just be mindful of the fact that you're actually querying roles, not groups directly in AD. – Chris Pratt Nov 07 '18 at 15:53
  • @Chris Pratt: I know that input parameter is name of the role, but if i pass the full name of active directory group with domain name, it works directly without additional configuration. – Muflix Nov 08 '18 at 08:38

1 Answers1

7

Except using built-in function which check the permission by "Roles", if you want to check by specific AD Group, you can also use below codes :

 public static class Security
{
    public static bool IsInGroup(this ClaimsPrincipal User, string GroupName)
    {
        var groups = new List<string>();

        var wi = (WindowsIdentity)User.Identity;
        if (wi.Groups != null)
        {
            foreach (var group in wi.Groups)
            {
                try
                {
                    groups.Add(group.Translate(typeof(NTAccount)).ToString());
                }
                catch (Exception)
                {
                    // ignored
                }
            }
            return groups.Contains(GroupName);
        }
        return false;
    }
}

And using as:

 if (User.IsInGroup("GroupName"))
 {

 }
Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • 5
    Thank you, the `_httpAccessor.HttpContext.User.IsInRole("\\")` works also. – Muflix Nov 08 '18 at 08:41
  • I have created a group in active directory and added my current user to it, but when I list them out like that group cannot be found – martis martis May 21 '20 at 14:49
  • 1
    @martismartis, User should log-off and log-in again to check. because Ad is using cache. I like using IsInRole (mentioned by Muflix) much better. – FLICKER Jun 27 '22 at 04:13