We have an ASP.NET (Framework v4.7.2) website that uses federated login, via Azure Active Directory, for SSO purposes, to authenticate users.
The website expects a user to be in a certain Active Directory group, in order to access the site. Myself and another user are in the same group, but when we both access the site, we get a different result. I am able to access the site, but my colleague gets a "401 unathorised" error page (which is returnedvia the AuthorizeAttribute).
Looking deeper into this, I can that the AD group that I belong to is included as a claim in this collection
System.Security.Claims.ClaimsPrincipal.Current.Claims
but for my colleague that same group claim is missing.
I have some debug code which does this...
foreach (var claim in System.Security.Claims.ClaimsPrincipal.Current.Claims)
{
if (string.Equals("the-object-id-of-the-group", claim.Value))
{
// User has the group claim...
}
}
When I log in, I see a log meesage stating that I have that group claim, but my colleague does not see that message when they log in.
When viewing our requests, in Chrome DevTools, to the site, I can see a difference in a bunch of set-cookie details. For example, my reuqests include many more AdminFedAuth set-cookie calls than my colleague, and the overall content length for my colleague is much shorter.
Although my colleague is a member of more AD groups then me, that makes no difference since other people was can access the site are members of many more groups than myself. So I thought it may have been an issue with the number of groups a person is associated with, but that is not the case.
I'm stuck on what else to investigate in order to diagnose what the problem is. any suggestions would be appreciated.
