0

I am creating a C# Winform Application which will be used in a corporate domain (Windows Active Directory). The app is to behave as the following:

  1. When a user opens the App, the App checks if the current user is part of an Active Directory group.
  2. If it is, the app then allows the user to use the app.

From google searches, I found several ways how to check if a user is part of an Active Directory group. For example in the link here => How to check if a user belongs to an AD group?

My concern is the security part of this. What if someone spoofs a username and domain. He won't need to know the password to allow access to the app.

Filburt
  • 17,626
  • 12
  • 64
  • 115
user1034912
  • 2,153
  • 7
  • 38
  • 60
  • In a Windows Forms app, the process is running as the current user. If you get the current WindowsPrincipal (/WindowsIdentity), that's the current user, no usernames or passwords required – Flydog57 Jun 23 '20 at 14:24
  • Thinking about it some more... WindowPrincipal.IsInRole may do everything you want https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsprincipal.isinrole – Flydog57 Jun 23 '20 at 14:32

1 Answers1

1

Don't do a look up. The SID of every group the user is a member of (recursively) is part of the user's login token. So you can just use WindowsPrincipal.IsInRole(). If you only have the name of the group, you can give it that:

var currentUser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
currentUser.IsInRole("SomeGroup")

That translates the name into the SID and checks the login token for that SID. That requires a network request. If you can give it the SID of the group instead, then you can save that network request:

var groupSid = new SecurityIdentifier("S-1-5-21-blah");
currentUser.IsInRole(groupSid)
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Thanks Gabriel,so are you saying the the SID is unique and can't be forged by anyone? – user1034912 Jun 23 '20 at 22:47
  • 1
    @user1034912 Every SID is unique, yes. I certainly doubt any SID can be forged - it's the foundation of security in Windows and AD (all file system and AD permissions are granted to SIDs). And the access token certainly cannot be forged. The access token is what Windows creates when a user is successfully authenticated, and it contains every group that the user is a member of. That's why I'm suggesting you use that. Windows already did all the work for you. – Gabriel Luci Jun 24 '20 at 00:27
  • 1
    To understand it better, see the documentation for [Security Identifiers](https://learn.microsoft.com/en-us/windows/win32/secauthz/security-identifiers) and [Access Tokens](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens). – Gabriel Luci Jun 24 '20 at 00:27
  • Thanks Gabriel, I've read the documentation you've shared. What if someone spoofs a domain controller? Make a domain controller with the same name and create tokens from it? – user1034912 Jun 24 '20 at 00:53
  • 1
    Spoofing a domain controller is not a thing that can happen. If you create a DC with the same domain name, it's still a different domain. The domain SID is randomly generated, and the domain SID is the first part of the SID of every object on the domain. Even if you somehow manage to spoof the domain SID, the other DCs have no relationship to it - they won't trust it because it's not in their list of DCs. Also, DNS will not include it - if you lookup the domain name in DNS, it returns the IPs of all the DCs, so you have to own the domain to be able to add an IP to that list. – Gabriel Luci Jun 24 '20 at 01:52
  • See here for a further discussion of that: https://www.reddit.com/r/activedirectory/comments/as0949/spoofed_domain_controller/ – Gabriel Luci Jun 24 '20 at 01:52
  • Thanks, I will accept this answer. Thanks for your time. My problem is a bit more complicated, which I failed to specify properly. I've opened up another question so it's more specific.. https://stackoverflow.com/questions/62546868/can-an-application-server-outside-a-windows-domain-verify-a-user-of-that-domain – user1034912 Jun 24 '20 at 03:01