2

I'm trying to check whether the User belongs to some groups by using SID-s.

I was using WindowsIdentity.Groups, but then noticed that sometimes it doesn't show that the user belongs to the Administrators group.

After searching a while, I've discovered that instead WindowsIdentity.Claims work fine (includes the admin group in the results as well).
I wasn't able to find proper documentation on Claims.

So, what is the difference between the Groups and Claims in WindowsIdentity, and why groups don't show administrators group while the Claims do?
And finally, can I safely use Claims instead of Groups?

Here's the code I have:

var wi = WindowsIdentity.GetCurrent();

var sidToFind = "S-1-5-32-544"; // Hardcoded the sid of administrators group for demo, but in general this is a parameter of a function on my side

// This will NOT include the sid S-1-5-32-544
var groupSids= wi.Groups
    .Where(item => item.Value == sidToFind);

// This will include the sid S-1-5-32-544 and also all the other results that Groups provides.
var claimSids = wi.Claims
    .Where(item => item.Value == sidToFind));
Just Shadow
  • 10,860
  • 6
  • 57
  • 75
  • If you wants to check specific user belongs to some groups by SIDs, [this](https://stackoverflow.com/questions/62536043/how-can-i-securely-ensure-the-current-user-belongs-to-an-active-directory-group?noredirect=1&lq=1) would help you. – Abdul Wahab Mar 18 '21 at 10:11

1 Answers1

2

There are differencies between groups and claims.

  • Groups work with WORKGROUP and AD
  • Claims work with Active Directory Federation Services

Claims is more complex way to check user identity, because claims exists not only for ADFS, you can use or create additional claims token provider

When we call Groups method for WindowsIdentity, we have restriction:

// Ignore disabled, logon ID, and deny-only groups.

The role of claims

In the claims-based identity model, claims play a pivotal role in the federation process, They are the key component by which the outcome of all Web-based authentication and authorization requests are determined. This model enables organizations to securely project digital identity and entitlement rights, or claims, across security and enterprise boundaries in a standardized way.

So, if you work only in NTLM - you can safty work with Groups, but if you want work via federation (for example SharePoint, Google, etc) - you must use claims. Claims contains groups, but groups not contain claims.

In order to answer the question why you do not see a certain group, you need to know its properties and location. As I wrote above and gave the link, there are restrictions on getting the list of groups. But here i found this info:

SID Name Description
S-1-5-32-544 Administrators A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.

So, if your local admins group is disabled - you cannot see it when you get it via WindowsIdentity even if the user is included in it.

Maxim
  • 854
  • 1
  • 8
  • 16