Menu
In my old .NET MVC app, I could enable Windows Authentication in IIS and disable anonymous. Then in my web.config file I just had to put in this:
<authorization>
<allow roles="Domain\MyADGroupToHaveAccess" />
<deny users="*" />
</authorization>
In .NET Core 2.0 this will not work – it denies anonymous correctly, but it authorizes all users no matter what.
If I do this:
[Authorize(Roles = "Domain\\MyADGroupToHaveAccess")]
on my HomeController, it works, but I don't want to hardcode this setting in my project as it's something that needs to be changed for other environments.
How can I make web.config to work with AD Authorization? Or is there another way to not hardcode this setting in ASP.NET Core?
692
On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.
You can configure the <authorization> element at the server level in the ApplicationHost. config file, or at the site or application level in the appropriate Web. config file. You can set default authorization rules for the entire server by configuring authorization rules at the server level.
Authorization in ASP.NET Core is controlled with AuthorizeAttribute and its various parameters. In its most basic form, applying the [Authorize] attribute to a controller, action, or Razor Page, limits access to that component to authenticated users. Now only authenticated users can access the Logout function.
I solved this by making it into a policy which is able to call appsettings.json. This way other people who have access to the server can then edit the group to their own.
In Startup.cs:
services.AddAuthorization(options =>
{
options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));
});
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
In appsettings.json (or perhaps appsettings.production.json if you have different):
"SecuritySettings": {
"ADGroup": "YourDomain\\YourADGroup"
}
In your controllers you can then decorate it with this attribute:
[Authorize(Policy = "ADRoleOnly")]
Hope this can help other people
I have still to figure out how to apply this policy globally, so I don't have to authorize every controller, I'd figure it can be done in the services.AddMvc somehow?
131
To expand on Morten_564834's answer, here is our approach for this problem. Create a base controller that all controllers inherit from.
[Authorize(Policy = "AdUser")]
public class FTAControllerBase : Controller
{
private readonly ApplicationDbContext _db;
private readonly ILogHandler _logger;
public FTAControllerBase(ApplicationDbContext DbContext, ILogHandler Logger, IWindowsAccountLinker WinAccountLinker)
{
_db = DbContext;
_logger = Logger;
/// get registered user via authenticated windows user.
//var user = WinAccountLinker.LinkWindowsAccount();
}
}
Then in your other controllers:
public class LettersController : FTAControllerBase
{ ... }
If you want granular permissions on methods:
[Authorize("GenerateLetterAdUser")]
[HttpGet]
public IActionResult Generate()
{
return View();
}
Startup.cs:
// add authorization for application users
var section = Configuration.GetSection($"AuthorizedAdUsers");
var roles = section.Get<string[]>();
services.AddAuthorization(options =>
{
options.AddPolicy("AdUser", policy => policy.RequireRole(roles));
});
AppSettings.json:
"AuthorizedAdUsers": [
"domain\\groupname"
],
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
