MVC Authentication/Authorization with Active Directory in IIS Express

StackOverflow https://stackoverflow.com/questions/22701970

Question

http://forums.asp.net/t/1894061.aspx?ASP+NET+MVC+integration+with+Active+Directory

In regards to the post above.

I have been trying to implement Active Directory Security using IIS Express for my local development enviornment using Visual Studio 2013. Currently I have modified the IIS Express to allow me to override the authentication methods in the applicationhost.config. As specified in this post

IIS Express Windows Authentication

In addtion, I also made the default applicationpool user a valid Domain Administrator. I modified the Authorize attribute on the Home Controller of a basic MVC Site. Then on the home controller added the following code, as suggested in the first post I mentioned. The code is below. When I browse to this page It only shows the groups of the local machine that I belong to. It does not show the groups of the Domain that I belong to. Because of this I cannot actually Authorize any groups on my Domain only groups that exist locally. Why is that? Any assistance would be helpful.

<h2>Logged in as: @User.Identity.Name</h2>
<h2>Groups</h2>
<ul>
@{
    var id = User.Identity as System.Security.Principal.WindowsIdentity;
    foreach(var g in id.Groups)
    {
        var name = g.Translate(typeof(System.Security.Principal.NTAccount)).Value;
        var nameWithoutAuthority = name;
        var idx = name.IndexOf('\\');
        if (idx >= 0)
        {
            nameWithoutAuthority = name.Substring(idx + 1);
        }
        <li>@g.Value,
            @name,
            @User.IsInRole(name),
            @nameWithoutAuthority,
            @User.IsInRole(nameWithoutAuthority)
        </li>
    }
}
</ul>
Was it helpful?

Solution

The behaviour you are seeing would appear to be by design, see Which Groups Does WindowsIdentity.Groups Return?

To summarise

Under the covers, WindowsIdentity populates the groups collection by querying Windows for information on the groups that the user token is a member of. However, before returning this list, the Groups property filters out some of the returned groups.

Specifically, any groups which were on the token for deny-only will not be returned in the Groups collection. Similarly, a group which is the SE_GROUP_LOGON_ID will not be returned.

...If you want to retrieve all of the groups however, there's not an easy built-in way for you to do this. Instead, you'll have to P/Invoke to the GetTokenInformation API to retrieve the groups yourself.

public static void Main()
{
    using (WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent())
    {               
        var groups = // Get all of the groups from our account, and translate them from IdentityReferences to NTAccounts  
                    from groupIdentity in currentIdentity.Groups
                    where groupIdentity.IsValidTargetType(typeof(NTAccount))
                    select groupIdentity.Translate(typeof(NTAccount)) as NTAccount into ntAccounts

                    // Sort the NTAccounts by their account name
                    let domainName = ntAccounts.GetDomainName()
                    let groupName = ntAccounts.GetAccountName()
                    orderby domainName

                    // Group the sorted accounts by the domain they belong to, and sort the grouped groups by domain name
                    group ntAccounts by domainName into domainGroups
                    orderby domainGroups.Key
                    select domainGroups;

        foreach (var domainGroups in groups)
        {
            Console.WriteLine("Groups from domain: {0}", domainGroups.Key);

            foreach (var group in domainGroups)
            {
                Console.WriteLine("    {0}", group.GetAccountName());
            }
        }
    }
}

private static string GetDomainName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split.Length == 1 ? String.Empty : split[0];
}

private static string GetAccountName(this NTAccount account)
{
    string[] split = account.Value.Split('\\');
    return split[split.Length - 1];
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top