0

Goal: Limit ASP.NET Core Web API endpoint access to users in a given active directory group using a silent login.

Current Environment: ASP.NET Core Web API and ASP.NET Core Blazor Server applications running on IIS 8.5. The applications are on the same server.

I have successfully set up windows authentication that works locally in both apps after asking a question here; however, the [Authorize] attribute does not work when calling the api through the Blazor app after both apps have been deployed to the IIS production server. Again, authorization works great locally while developing, but the app pool's "IIS APPPool" user actually calls the api once deployed, rather than the client user. The windows user is not being passed from the Blazor app to the api endpoint for authorization on production.

I am completely ignorant to different authentication options. Is there an option that would allow me to check my api endpoints against active directory groups of the requesting client user and still allow a silent login?

Improve this question

2 Answers 2

Reset to default
0

You can read ROPC flow first. And please read the Warning message.

enter image description here

You can use username and password to grant access_token and id_token.

In your scenario, you can use unique identifiers such as userid to obtain an email account, and then use password for verification.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

We did the same thing in our internal application. The trick is to use a cshtml file which calls HttpContext.SignInAsync

Here is a working example from us:

var eintrag = new DirectoryEntry(GlobalConfig.Configuration.LDAP, Input.Username, Input.Password);

try
{
    var _object = eintrag.NativeObject;
    DirectorySearcher searcher = new DirectorySearcher(eintrag);
    searcher.Filter = $"(SAMAccountName={Input.Username})";
    searcher.PropertiesToLoad.Add("cn");
    searcher.PropertiesToLoad.Add("memberOf");
    searcher.PropertiesToLoad.Add("employeeid");
    searcher.PropertiesToLoad.Add("telephonenumber");
    searcher.PropertiesToLoad.Add("displayName");
    searcher.PropertiesToLoad.Add("mail");

    SearchResult result = searcher.FindOne();

    if (result != null)
    {
        // Read all properties you'll need
        var claims = new List<Claim>
        {
                new Claim(ClaimTypes.Name, Input.Username),
                new Claim("EmployeeId", result.Properties["employeeid"][0].ToString()!),
                new Claim("displayName", result.Properties["displayName"][0].ToString()!),
                new Claim("password", Input.Password)     
        };

        // Phonenumber claim
        try
        {
            claims.Add(new Claim(ClaimTypes.HomePhone, result.Properties["telephonenumber"][0]?.ToString() ?? String.Empty));
            claims.Add(new Claim(ClaimTypes.Email, result.Properties["mail"][0]?.ToString() ?? String.Empty));
        }
        catch (Exception)
        {

        }


        int propertyCount = result.Properties["memberOf"].Count;
        String dn;
        int equalsIndex, commaIndex;

        for (int propertyCounter = 0; propertyCounter < propertyCount;
            propertyCounter++)
        {
            dn = (String)result.Properties["memberOf"][propertyCounter];

            equalsIndex = dn.IndexOf("=", 1);
            commaIndex = dn.IndexOf(",", 1);
            if (-1 == equalsIndex)
            {
                break;
            }

            claims.Add(new Claim(ClaimTypes.Role, dn.Substring(equalsIndex + 1, commaIndex - equalsIndex - 1)));


        }

        var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

        var authProperties = new AuthenticationProperties
        {
            IsPersistent = Input.RememberMe,
            RedirectUri = returnUrl
        };

        await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);


        return LocalRedirect(returnUrl);
    }
    else
    {
        // Wenn man das LDAP kürzel vor dem Loginnanmen verwendet gibt es zwar keinen Fehler, der User wird aber dennoch nicht gefunden. Login nur mit reinen Anmeldenamen möglich
        ModelState.AddModelError("login-error", "Wrong username or password");
    }
}
catch (Exception ex)
{
   // Catch Errors for local users etc.
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.