.NET Core 6 Windows auth and Active Directory group based permissions

Question

I am learning dotnet core 6, and making application for Intra. I need to get user data (user name and surname, and user groups) from company's Active Directory (WinServer). Also i need to allow access to pages based on AD user groups.

I tried to Google it, but never succeeded finding material, how to implement it.

Can anybody, please, point me a direction or show an example of implementing? For now i have Identity package installed, but i need my app to work with Windows Auth and Active Directory groups for permissions.

Answer 1

After some more googling i found way it works for me

1. Create a new class which would extend the IClaimsTransformation.

   public class ClaimsTransformer : IClaimsTransformation  
   {  
       public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)  
       {  
           var wi = (WindowsIdentity)principal.Identity;  
           if (wi.Groups != null)  
           {  
               foreach (var group in wi.Groups) //-- Getting all the AD groups that user belongs to---  
                   {  
                       try  
                       {  
                           var claim = new Claim(wi.RoleClaimType, group.Value);  
                           wi.AddClaim(claim);                          
                       }  
                       catch (Exception ex)  
                       {  
                          throw ex;  
                       }  
                    }  
            }              
             return Task.FromResult(principal);  
       }  
   }
   

2. Add Singleton to builder in Program.cs

   builder.Services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();
   

3. Use [Authorize(Roles = "YourGroupName")] in your controllers

For single link:

[Authorize(Roles = "YourGroupName")]
public IActionResult Privacy()
{
   return View();
}

For whole controller:

[Authorize(Roles = "YourGroupName")]
public class HomeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }
    
}

Guide from: https://www.c-sharpcorner.com/article/authorization-using-windows-active-directory-groups-in-net-core-2-razor-pages/

Answer 2

I'm not sure if this might help for active directory,

Working with DirectoryServices in ASP.NET Core

or

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices?view=dotnet-plat-ext-6.0&viewFallbackFrom=net-5.0

which leads to for authenticating a user against AD and there's a groups method provided.

https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0

And for Win Authentication I able to use

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-6.0&viewFallbackFrom=aspnetcore-2.2&tabs=visual-studio

I Hope this helps!

Answer 3

for connecting to AD

   using(  PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN")){}

put your group in "YourDomain"

for geting information from AD use this code

using (var context = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
{
    using (var searcher = new PrincipalSearcher(new UserPrincipal(context)))
    {
        foreach (var result in searcher.FindAll())
        {
            DirectoryEntry de = result.GetUnderlyingObject() as DirectoryEntry;
            Console.WriteLine("First Name: " + de.Properties["givenName"].Value);
            Console.WriteLine("Last Name : " + de.Properties["sn"].Value);
            Console.WriteLine("SAM account name   : " + de.Properties["samAccountName"].Value);
            Console.WriteLine("User principal name: " + de.Properties["userPrincipalName"].Value);
            Console.WriteLine();
        }
    }
}
Console.ReadLine();

by this code you will get All user information

if you want login or Edit User information from Active Directory i will send you the full code